LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
load and network usage. For example, when a user logs into the system, the OS typically needs
to enquire about his/her account several times in the login process. This occurs as the OS identifies
the user, gathers account information and authenticates the user. And further requests often occur
as the account starts up new applications once a session is established. With caching, generally
only one or two LDAP operations are required.
Caching is also critical to support certain types of applications that make frequent demands on
the name service system, either because they are malfunctioning or need this specific type of
information frequently.
ldapclientd also supports what is known as a negative cache. This type of cache is used to store
meta-data about non-existent information. For example, if an application requests information about
an account that does not exist, the directory server will not return an entry, and that negative result
will be stored in a cache. Intuitively this type of cache would seem to be un-necessary. However,
applications exist that may perform these operations frequently, either on purpose or because they
are malfunctioning. For example, if a file is created with a group ID that does not exist, every time
a user displays information about this file, using the ls command, a request to the directory server
will be generated.
The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount
map information. ldapclientd also maintains a cache which maps user's accounts to LDAP DNs.
This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for defining
membership of an HP-UX group.
Although there are many benefits to caching, administrators must be aware of the side-effects of
their use. Here are some examples to consider:
Table 11 ldapclientd caching
Example Side-EffectBenefitsMap Name
Removing this information from
the directory may not be visible
to the operating system until after
the cache has expired. In certain
cases, this may allow a user to
log in to an HP-UX host, even
after his account has been
removed from the directory
server. (In general this is not a
problem when PAM_KERBEROS
is used for authentication, since
authentication requests are not
cached.)
Reduces greatly the number of requests
sent to a directory server during a login
or other operation such as displaying files
owned by that user.
passwd
Removing a member of a group
may not be visible to the file
system, until after the cache
expires. During this window, a
user may be able to access files
or other resources based on
his/her group membership, which
had been revoked.
Frequent file system access may request
information about groups that own
particular files. Caching greatly reduces
this impact.
group
It is possible to alter the caching lifetime values for each service listed above, in the
/etc/opt/ldapux/ldapclientd.conf file. See below for additional information. It is also possible to
enable or disable a cache using the -E or -D (respectively) options. These options may be useful in
determining the effectiveness of caching or helpful in debugging.
6.18.2 ldapclientd persistent connections
Since the HP-UX can generate many requests to an LDAP server, the overhead of establishing a
single connection for every request can create excessive network traffic and slow response time
for name service requests. Depending on network latency, the connection establishment and
6.18 Client daemon performance 133