LDAP-UX Client Services B.05.00 Administrator's Guide
un-necessary. However, applications exist that may perform these operations frequently, either
on purpose or because they are malfunctioning. For example, if a file is created with a group ID
that does not exist, every time a user displays information about this file, using the ls command,
a request to the directory server will be generated.
The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount
map information. ldapclientd also maintains a cache which maps user's accounts to LDAP DNs.
This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for
defining membership of an HP-UX group.
Although there are many benefits to caching, administrators must be aware of the side-effects
of their use. Table 5-4 shows some examples to consider:
Table 5-4 Benefits and side-effects for caching
Example Side-EffectBenefitsMap Name
Removing this information from
the directory may not be visible
to the operating system until
after the cache has expired. In
certain cases, this may allow a
user to log in to an HP-UX host,
even after his account has been
removed from the LDAP
directory server. (In general this
is not a problem when
PAM_LDAP is used for
authentication, since
authentication requests are not
cached.)
Reduces greatly the number of requests
sent to a directory server during a login
or other operation such as displaying
files owned by that user.
passwd
Removing a member of a group
may not be visible to the file
system, until after the cache
expires. During this window, a
user may be able to access files
or other resources based on
his/her group membership,
which had been revoked.
Frequent file system access may request
information about groups that own
particular files. Caching greatly reduces
this impact.
group
186 Administering LDAP-UX Client Services