Caching LDAP Queries Reduces LDAP Server overhead but delays the detection of changes in AD and eDir groups

Document ID:7003298
Creation Date:18-May-2009
Modified Date:27-Apr-2012
- Micro Focus Products:
  ZENworks Configuration Management

Environment

Novell ZENworks 10 Configuration Management ZENworks Control Center - ZCC

Situation

Changes made to eDir and AD user groups may not be detected immediately in ZCM.

LDAP Servers may see high utilization due to LDAP queries generated by the ZCM servers.

Resolution

ZCM allows LDAP caching to be configured to balance the need to for quickly detecting changes in the LDAP sources versus the need to minimize the overhead placed upon LDAP servers.

The optimal settings for particular organizations may vary depending on the LDAP Tree Size/Design, the power of the LDAP servers, the frequency of user logons, and many other factors.

The details below explain how to adjust the values between 10 minutes and 4 hours that best suit a particular organization.

Additional Information

ZCM 10.2.x cached LDAP responses for 600 seconds (10 minutes) by default.

ZCM 10.3.0 caches LDAP responses for 14400 seconds (4 hours) by default.

ZCM 10.3.1 is expected to revert the time back to 600 seconds by default.

Changes to the LDAP User Source, such as new groups or changes in group membership, may not be detected until the cache period has expired.

This applies to both eDirectory and Active Directory user sources.

The LDAP cache timeout is adjusted by editing the following file and restarting the ZCM services:

/etc/opt/novell/zenworks/datamodel/caching/default/caching-authsources.xml (Linux)

%ZENWORKS_HOME%\conf\datamodel\caching\default/caching-authsources.xml (Windows)

(Note: A second unrelated file named caching-authsources.xml will exist on the server. Be sure to edit the correct file.)

Prior to editing the file, please make a backup copy in the event the file gets corrupted.

NOTE: Move the original back up file to another folder outside of the ZENworks file system.

When editing the File, Only edit the LDAP related records below.

(Warning: "LDAP-foundcontext" is excluded from the list that will be provided below to be edited)

Do not edit any other records.

Only edit the timeToIdleSeconds and timeToLiveSeconds fields.

Do not edit any other fields.

Editing other fields or records is neither tested nor supported, and may have cause serious memory issues on the server.

The values fortimeToIdleSeconds and timeToLiveSeconds should be the same in each record and across records.

Values below 600 seconds are neither tested nor supported and are not recommended.

Values above 14400 seconds are neither tested nor supported and are not recommended.

A value of Zero is infinite and should not be used under any circumstances.

Below are the valid records in which the timeToIdleSconds and timeToLiveSeconds can be modified:

(Note: As shown the timeouts match the values used in ZCM 10.2.2 and the expected values for ZCM 10.3.1)