LUM persistent-cache-refresh-period not working as expected

  • 7006026
  • 18-May-2010
  • 07-Jun-2013

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
SUSE Linux Enterprise Desktop 10 Service Pack 3
SUSE Linux Enterprise Desktop 11
Linux User Management

Situation

Purpose:

LUM has been configured on OES2 SP2 servers and/or SLED workstations and the following parameters are set in the configuration file "/etc/nam.conf":

enable-persistent-cache=yes
persistent-cache-refresh-period=600
persistent-cache-refresh-flag=all
support-outside-base-context=yes
cache-only=no
persistent-search=yes

With this configuration the purpose is to use persistent-cache on the local server/workstations and to refresh it every 600 seconds (10 minutes) so to reflect any LUM related modifications made in eDirectory.

Symptoms:

When a LUM enabled user is removed from a group that provide access to a given linux server or workstation, the persistent cache is not refreshed according to the value set for the parameter in the /etc/nam.conf; the removed user can still log in, or use any LUM enabled service, until a "namconfig cache_refresh" is manually triggered.

Changes:

LUM RPM currently in use is equal or less than"novell-lum-2.2.0.17-0.18"




Resolution

This is fixed in OES2 Support Pack 3.

If you wish to request a fix for OES2 SP2 code level, please open a Service Request with Novell Technical Services and point this TID.

Workarounds:

The only possible workaround is currently to avoid the usage of the persistent cache, setting the following parameter:

enable-persistent-cache=no

This will workaround the issue described in this TID, however please be aware that without the persistent cache usage the network traffic generated will considerably increase, as for every request related to a LUM enabled service a new LDAP query will need to be done.






Additional Information

The same issue described in this document can also be caused by different root cause than the one described, please look at the following document:

KB 3167249 -Why can I still authenticate via lum user even after user is removed from Lum Group