Forum Discussion

vandenhoutenp_9's avatar
vandenhoutenp_9
Icon for Nimbostratus rankNimbostratus
Apr 11, 2014

Does an AD Query cache results?

Hi guys,

 

I'm performing a simple AD Query as part of my access policy. For most users this seems to work as it should however we have a couple of users who have been moved in and out (and back in!) of one of the AD groups in question.

 

For these users the query is failing and based on what I've seen in the session logs I was wondering whether this info is in fact cached for a period of time? Here is an example of what I've seen:

 

AD Group Cache: found groupDN 'CN=Domain Users,CN=Users,DC=mydomain,DC=com' from group cache of server '127.7.0.1'

 

If the answer is that it does cache the results for a period of time, is there a way to turn off this behaviour so that a "live" lookup is performed each and every time or can the cache duration be set?

 

Thanks

 

Peter

 

BIG-IP Access Policy Manager (APM)
security
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Apr 12, 2014

    Hey Peter,

     

    To update the cache please try the following...

     

    1. Navigate to "Access Policy ›› Access Profiles : Access Profiles List".
    2. Check the Access Policy you want the AAA AD cache to be cleared.
    3. Apply the Access Policy

    This should reset the cache.

     

    The caching is in place to make the lookup faster and give a better over all experiance for all the users logging into to the system.

     

    Please let me know if this helps...

     

    Seth

     

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Apr 12, 2014

    Peter,

     

    Also, in 11.5 in the AD Properties under "Access Policy >> AAA Servers >> Select your AD config" there is a setting for "Group Cache Lifetime" which is set in number of days. There is also a button to clear the cache.

     

    Seth

     

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    May 30, 2014

    Along the lines of this question, do you know if there would there be any disruption to connected users if we were to change the lifetime and/or clear the cache (apart form the obvious delay the next time they connect while the groups are being retrieved)?

     

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    May 30, 2014

    Changing the lifetime or clearing cache shouldn't affect connected users at all.

     

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    May 30, 2014

    As an FYI regarding updating the lifetime (probably with clearing the cache as well), I tested it in our development environment and it seemed to work fine. When I made the change in production, I didn't "apply access policy" (since it marks all associated policies as needing to be applied) for our Exchange stuff, but even still, all our Exchange and OWA users could no longer log in. Only after applying the access policy were they able to get back in.

     

    Just thought I'd mention this. Apparently the change does something on the back end to disrupt access (in certain situations, I guess) if the policy is not immediately applied.