When a UNIX enabled user is deleted from AD. It appears that the clients do not learn of this until a flush is performed.
The product is performing as expected. However you can change the QAS configuration to check for the deleted users at a specified interval.
Here is some information from the vasd man page about a setting you can use:
delusercheck-interval = <integer (minutes)>
Default value: 0
By default, vasd only detects that user objects have been deleted
when explicit requests for the deleted users are made by the VAS
authentication modules or by calls to getpwnam(). This is due to the
difficulties inherent in detecting when objects in a directory are
deleted when using an incremental update algorithm. While deleted
users cannot get access to Unix machines through VAS, this may not
satisfy some auditing requirements. If a Unix environment requires
that the cache of user and group information is completely up to date
(including removal of deleted objects), you can configure vasd to
check periodically for deleted objects. By default this check is
turned off to limit the amount of LDAP traffic each VAS client
generates. The value of this option should be set to an interval in
minutes where vasd should perform the deleted user check. You should
carefully evaluate the impact of enabling this search on your Unix
clients before enabling this option across your deployment. The
following example shows how to configure vasd to run the deleted user
check every 24 hours.
[vasd]
delusercheck-interval = 1440
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center