A.33 Security Equivalence Vector Update Commands

Use the Security Equivalence Vector (SEV) Update commands in the NSS Console utility (nsscon) to enable or disable the update, to set the update interval from 5 minutes to 90 days (specified in seconds), and to force an immediate update of security equivalence vectors. Polling too frequently can impact performance. Polling too infrequently can cause delays in granting or restricting access to certain users. For more information about SEV, see Section 21.2, Configuring the Security Equivalence Vector Update Frequency.

nss /(No)SecurityEquivalenceUpdating

Enables or disables SEV updates to occur in the background in addition to updates that occur when the system reboots. If it is disabled, SEV updates occur only at system reboots.

To make it persistent, include the command in the /etc/opt/novell/nss/nssstart.cfg file.

Default: On (enabled)

Examples

To enable background updating, enter

nss /SecurityEquivalenceUpdating

To disable background updating, enter

nss /NoSecurityEquivalenceUpdating
nss /(No)eDirSecurityEquivalenceUpdating

Enables or disables eDirectory user SEV updates to occur in the background. If it is disabled, SEV updates occur only at system reboots.

To make it persistent, include the command in the /etc/opt/novell/nss/nssstart.cfg file.

Default: On (enabled)

Examples

To enable eDirectory user background updating, enter

nss /eDirSecurityEquivalenceUpdating

To disable eDirectory user background updating, enter

nss /NoeDirSecurityEquivalenceUpdating
nss /(No)ADSecurityEquivalenceUpdating

Enables or disables AD user SEV updates to occur in the background. If it is disabled, SEV updates occur only at system reboots.

To make it persistent, include the command in the /etc/opt/novell/nss/nssstart.cfg file.

Default: On (enabled)

Examples

To enable AD user background updating, enter

nss /ADSecurityEquivalenceUpdating

To disable AD user background updating, enter

nss /NoADSecurityEquivalenceUpdating
nss /(No)OptimizeSEVRefresh

Enables SEV refresh only for those connections that are used within the default update interval. To get the default update interval, see the UpdateEdirSecurityEquivalenceInterval, UpdateADSecurityEquivalenceInterval, and UpdateSecurityEquivalenceInterval parameters.

To make it persistent, include the command in the /etc/opt/novell/nss/nssstart.cfg file.

Default: Off (disabled)

Examples

To enable optimized SEV refresh, enter

nss /OptimizeSEVRefresh

To disable optimized SEV refresh, enter

nss /NoOptimizeSEVRefresh
nss /UpdateSecurityEquivalenceInterval=value

Sets the SEV update interval to the specified value in seconds. At the end of the elapsed time, NSS requires updated SEVs from eDirectory and AD.

To make it persistent, include the command in the /etc/opt/novell/nss/nssstart.cfg file.

Default: 7237 (2 hours 37 seconds)

Range: 300 (5 minutes) to 7776000 (90 days).

nss /UpdateEdirSecurityEquivalenceInterval=value

Sets the eDirectory SEV update interval to the specified value in seconds.

Default: 600 (10 minutes)

Range: 300 (5 minutes) to 7776000 (90 days).

nss /UpdateADSecurityEquivalenceInterval=value

Sets the AD SEV update interval to the specified value in seconds.

Default: 1800 (30 minutes)

Range: 300 (5 minutes) to 7776000 (90 days).

nss /ForceSecurityEquivalenceUpdate

Forces the SEV update to occur immediately for all users in the NSS file system. Use this command if you modify a user’s access control settings in eDirectory and AD, and want those changes to be reflected immediately in the user’s active SEV for this server.

This command is invalid if used in the /etc/opt/novell/nss/nssstart.cfg file.

A unique abbreviation such as

nss /ForceS 

also works.

/UserType

Specifies the user type for ListConnections. The valid values are AD and Edir. This parameter is used only with ForceSecurityEquivalenceUpdate parameter.

/UserFDN

Specifies the user FDN for force SEV update. This parameter is used only with ForceSecurityEquivalenceUpdate, ForceEdirSecurityEquivalenceUpdate, and ForceADSecurityEquivalenceUpdate parameters.

ForceSecurityEquivalenceUpdate

Forces the user security equivalence background updating to start immediately. Use this command if you modify a user’s access control settings in eDirectory and AD, and want those changes to be reflected immediately in the user’s active SEV for this server. You can update the SEV only for eDirectory or AD users using /UserType switch. Also, you can update the SEV for a single eDirectory or AD user using the /UserFDN switch.

ForceEdirSecurityEquivalenceUpdate

Forces the user security equivalence update for eDirectory user. You can update a single eDirectory user using the /UserFDN switch.

ForceADSecurityEquivalenceUpdate

Forces the user security equivalence update for AD user. You can update a single AD user using the /UserFDN switch.