Forum Discussion

vandenhoutenp_9's avatar
vandenhoutenp_9
Icon for Nimbostratus rankNimbostratus
Apr 11, 2014

Does an AD Query cache results?

Hi guys,

 

I'm performing a simple AD Query as part of my access policy. For most users this seems to work as it should however we have a couple of users who have been moved in and out (and back in!) of one of the AD groups in question.

 

For these users the query is failing and based on what I've seen in the session logs I was wondering whether this info is in fact cached for a period of time? Here is an example of what I've seen:

 

AD Group Cache: found groupDN 'CN=Domain Users,CN=Users,DC=mydomain,DC=com' from group cache of server '127.7.0.1'

 

If the answer is that it does cache the results for a period of time, is there a way to turn off this behaviour so that a "live" lookup is performed each and every time or can the cache duration be set?

 

Thanks

 

Peter

 

  • Hey Peter,

     

    To update the cache please try the following...

     

    1. Navigate to "Access Policy ›› Access Profiles : Access Profiles List".
    2. Check the Access Policy you want the AAA AD cache to be cleared.
    3. Apply the Access Policy

    This should reset the cache.

     

    The caching is in place to make the lookup faster and give a better over all experiance for all the users logging into to the system.

     

    Please let me know if this helps...

     

    Seth

     

  • Peter,

     

    Also, in 11.5 in the AD Properties under "Access Policy >> AAA Servers >> Select your AD config" there is a setting for "Group Cache Lifetime" which is set in number of days. There is also a button to clear the cache.

     

    Seth

     

  • Along the lines of this question, do you know if there would there be any disruption to connected users if we were to change the lifetime and/or clear the cache (apart form the obvious delay the next time they connect while the groups are being retrieved)?

     

  • Changing the lifetime or clearing cache shouldn't affect connected users at all.

     

  • As an FYI regarding updating the lifetime (probably with clearing the cache as well), I tested it in our development environment and it seemed to work fine. When I made the change in production, I didn't "apply access policy" (since it marks all associated policies as needing to be applied) for our Exchange stuff, but even still, all our Exchange and OWA users could no longer log in. Only after applying the access policy were they able to get back in.

     

    Just thought I'd mention this. Apparently the change does something on the back end to disrupt access (in certain situations, I guess) if the policy is not immediately applied.