LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=Directory Manager"
-w <passwd> -f nisp_automap.ldif
2.5.4 Enabling offline longterm credential caching for authentication when the
directory server is unavailable
Supported for HP directory server environments only.
If contact with the directory server is lost because of a network problem or server crash, LDAP users
cannot log in to the system. This might have a negative impact on the OS and its applications,
especially for mission-critical applications. To enable the OS to continue to properly function when
connection with the directory server is lost, LDAP-UX Client Services 5.0 (or later) provides an
offline credential cache that enables LDAP to continue authenticating users even when contact with
all directory servers is lost. You can enable this feature by configuring several parameters available
in the LDAP-UX client daemon configuration file, /etc/opt/ldapux/ldapclientd.conf file.
NOTE: For information about patches that must be installed to support offline credential caching,
see the LDAP-UX Integration Release Notes.
2.5.4.1 How the offline cache works
To support this feature, you can configure LDAP-UX to maintain a secondary (offline) long-term
cache that stores previously-discovered user account and group information, including authentication
passwords that are hashed using the salted Secure Hash Algorithm (SHA-512). If the directory
server becomes unavailable, LDAP-UX resorts to this cache for the information needed to authenticate
users. When the directory server becomes available again, LDAP-UX resumes referring to the
directory server for authentication information.
While LDAP-UX is in contact with the directory server, if long-term credential caching is enabled,
LDAP-UX captures user account and password information during a user's login attempt, and if the
login is successful, stores this information in the offline cache. LDAP-UX updates the cache as
necessary with new or changed account information as it becomes available during later
authentication attempts. It also updates passwords that are successfully changed by users on the
local host.
When the directory server is unreachable, LDAP-UX does not allow users to change their passwords
(because the password cannot be updated in the directory server).
The offline cache maintains information only for users who have recently logged in to the system
while the directory server was available.
The offline credential cache will survive after a reboot. However, data stored in the cache has a
configurable expiration date (two weeks, by default) to help ensure that stale user accounts are
removed. Because the long-term credential cache expires after a defined period, any user that has
not recently used the system (within the expiration period defined by the LDAP-UX administrator)
is not allowed to authenticate, since that user's cached credential might not exist or might have
been removed after it expired.
LDAP-UX allows you to enable long-term enumeration, in which case LDAP-UX periodically retrieves
and updates all user and group entries in the local on-disk storage for later reference when the
directory server is not reachable. You can specify how frequently LDAP-UX should refresh the
enumeration data in the cache.
NOTE: Enumeration requests involving large databases could reduce network and server
performance. Use this feature only if it is expedient for your environment.
LDAP-UX also allows you to specify:
• How frequently long-term data should be saved to the offline cache
2.5 Postinstallation configuration tasks 101