ACLCheck and Group Membership
Novell Cool Solutions: Tip
By Scott Jones
Digg This -
Posted: 12 Apr 2002
Version: BorderManager 3.6
ACLCheck walks the tree to do group membership checks. By default ACLCheck reads groups used in access rules once every hour. If a change is found, it will then re-read the rule. The /B switch allows you to change how often ACLCheck will test for changes in group membership. You may only want ACLCheck to do this every few hours to reduce the number of times per day that the rules are re-read. When using this switch, suffix it with the number of hours ACLCheck will wait before testing for group membership changes. E.g., "/B0" will disable ACLCheck's regular testing for group membership changes, and "/B2" will cause it to test group membership once every 2 hours.
Strongly recommended: The /G switch enables smart group change detection. It requires DS.NLM 7.44 or later on all servers that hold replicas of the users' partitions. By default, when checking for changes to group membership, ACLCheck completely reads all the group memberships from every group that is referenced in each access rule. Then, if a group's membership has changed, it must re-read the rule, which causes ACLCheck to again walk the tree, find the group, read every member, then go to the next group. With the new DS and the /G switch, ACLCheck just checks the timestamp on the group object to know if it has changed, eliminating a huge amount of DS traffic.
Another good ACLCheck load switch is /s, which suppresses those annoying "DNS lookup failure" console messages.
With this ability to take complete control of when and how group membership lookups are done, BorderManager no longer needs to be a significant factor in determining group object placement in the tree. Follow the standard procedure of keeping groups as close as possible (both logically in the tree and physically by means of replica placement) to the users in the groups and to the administrators who will maintain them.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com