The Security Equivalence Vector (SEV) is calculated for each NSS user based on information in the user’s profile in Novell eDirectory. It is a list of eDirectory GUIDs, for example:
the user’s own GUIDs
GUIDs of groups that include the user
GUIDs of parent containers for the user and his or her groups
security equivalent GUIDs
The SEV is used to validate the user against the trustee rights of the directory and file the user is attempting to access.
After you boot the Linux server, when a user first attempts to connect to the NSS file system, NSS contacts Novell eDirectory to retrieve the user’s Security Equivalence Vector (SEV). eDirectory calculates the user’s effective rights for the NSS volume, creates the SEV, and passes it to NSS. NSS compares the user’s SEV with file system trustees and trustee rights for the specified file or directory to determine if the user can access the resource.
NSS caches the SEV locally in the server memory, where it remains until the server is rebooted or unless the user is deleted from eDirectory. NSS polls eDirectory at a specified interval for updates to the SEVs that are in cache.
In contrast, for NetWare, whenever a user connects to the NSS file system, NetWare retrieves the user’s SEV from eDirectory and maintains it as part of the connection structure for the user’s session. NSS retrieves the user’s SEV from the connection structure.
Command line switches are available in the NSS Console utility (nsscon) to enable or disable the update, to set the update interval from 5 minutes to 90 days (specified in seconds), and to force an immediate update of security equivalence vectors. Polling too frequently can impact performance. Polling too infrequently can cause delays in granting or restricting access to certain users.