Forum Discussion
Does an AD Query cache results?
Hi guys,
I'm performing a simple AD Query as part of my access policy. For most users this seems to work as it should however we have a couple of users who have been moved in and out (and back in!) of one of the AD groups in question.
For these users the query is failing and based on what I've seen in the session logs I was wondering whether this info is in fact cached for a period of time? Here is an example of what I've seen:
AD Group Cache: found groupDN 'CN=Domain Users,CN=Users,DC=mydomain,DC=com' from group cache of server '127.7.0.1'
If the answer is that it does cache the results for a period of time, is there a way to turn off this behaviour so that a "live" lookup is performed each and every time or can the cache duration be set?
Thanks
Peter
- Seth_CooperEmployee
Hey Peter,
To update the cache please try the following...
- Navigate to "Access Policy ›› Access Profiles : Access Profiles List".
- Check the Access Policy you want the AAA AD cache to be cleared.
- Apply the Access Policy
This should reset the cache.
The caching is in place to make the lookup faster and give a better over all experiance for all the users logging into to the system.
Please let me know if this helps...
Seth
- Seth_CooperEmployee
Peter,
Also, in 11.5 in the AD Properties under "Access Policy >> AAA Servers >> Select your AD config" there is a setting for "Group Cache Lifetime" which is set in number of days. There is also a button to clear the cache.
Seth
- vandenhoutenp_9Nimbostratus
Thanks Seth, much appreciated!
- Michael_JenkinsCirrostratus
Along the lines of this question, do you know if there would there be any disruption to connected users if we were to change the lifetime and/or clear the cache (apart form the obvious delay the next time they connect while the groups are being retrieved)?
- Seth_CooperEmployee
Changing the lifetime or clearing cache shouldn't affect connected users at all.
- Michael_JenkinsCirrostratus
As an FYI regarding updating the lifetime (probably with clearing the cache as well), I tested it in our development environment and it seemed to work fine. When I made the change in production, I didn't "apply access policy" (since it marks all associated policies as needing to be applied) for our Exchange stuff, but even still, all our Exchange and OWA users could no longer log in. Only after applying the access policy were they able to get back in.
Just thought I'd mention this. Apparently the change does something on the back end to disrupt access (in certain situations, I guess) if the policy is not immediately applied.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com