Environment
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
SUSE Linux Enterprise Desktop 10 Service Pack 3
SUSE Linux Enterprise Desktop 11
Linux User Management
SUSE Linux Enterprise Desktop 10 Service Pack 3
SUSE Linux Enterprise Desktop 11
Linux User Management
Situation
Purpose:
LUM has been configured on OES2 SP2 servers and/or SLED workstations and the following parameters are set in the configuration file "/etc/nam.conf":
enable-persistent-cache=yes
persistent-cache-refresh-period=600
persistent-cache-refresh-flag=all
support-outside-base-context=yes
cache-only=no
persistent-search=yes
With this configuration the purpose is to use persistent-cache on the local server/workstations and to refresh it every 600 seconds (10 minutes) so to reflect any LUM related modifications made in eDirectory.
Symptoms:
When a LUM enabled user is removed from a group that provide access to a given linux server or workstation, the persistent cache is not refreshed according to the value set for the parameter in the /etc/nam.conf; the removed user can still log in, or use any LUM enabled service, until a "namconfig cache_refresh" is manually triggered.
Changes:
LUM RPM currently in use is equal or less than"novell-lum-2.2.0.17-0.18"
LUM has been configured on OES2 SP2 servers and/or SLED workstations and the following parameters are set in the configuration file "/etc/nam.conf":
enable-persistent-cache=yes
persistent-cache-refresh-period=600
persistent-cache-refresh-flag=all
support-outside-base-context=yes
cache-only=no
persistent-search=yes
With this configuration the purpose is to use persistent-cache on the local server/workstations and to refresh it every 600 seconds (10 minutes) so to reflect any LUM related modifications made in eDirectory.
Symptoms:
When a LUM enabled user is removed from a group that provide access to a given linux server or workstation, the persistent cache is not refreshed according to the value set for the parameter in the /etc/nam.conf; the removed user can still log in, or use any LUM enabled service, until a "namconfig cache_refresh" is manually triggered.
Changes:
LUM RPM currently in use is equal or less than"novell-lum-2.2.0.17-0.18"
Resolution
This is fixed in OES2 Support Pack 3.
If you wish to request a fix for OES2 SP2 code level, please open a Service Request with Novell Technical Services and point this TID.
Workarounds:
The only possible workaround is currently to avoid the usage of the persistent cache, setting the following parameter:
enable-persistent-cache=no
This will workaround the issue described in this TID, however please be aware that without the persistent cache usage the network traffic generated will considerably increase, as for every request related to a LUM enabled service a new LDAP query will need to be done.
If you wish to request a fix for OES2 SP2 code level, please open a Service Request with Novell Technical Services and point this TID.
Workarounds:
The only possible workaround is currently to avoid the usage of the persistent cache, setting the following parameter:
enable-persistent-cache=no
This will workaround the issue described in this TID, however please be aware that without the persistent cache usage the network traffic generated will considerably increase, as for every request related to a LUM enabled service a new LDAP query will need to be done.
Additional Information
The same issue described in this document can also be caused by
different root cause than the one described, please look at the
following document:
KB 3167249 -Why can I still authenticate via lum user even after user is removed from Lum Group
KB 3167249 -Why can I still authenticate via lum user even after user is removed from Lum Group