To configure Safeguard Authentication Services to resolve netgroup data from the name service module
vastool configure vas vasd netgroup-mode NSS
vastool configure nss netgroup
vastool configure irs netgroup
Note: To create a netgroup map, if needed, you can enter the following at the command line:
nisedit -u <admin> add -m netgroup -f an /etc/netgroup style file>
For more information about the nisedit tool, see Using NIS map command line administration utility.
vastool flush netgroup
To test the netgroup configuration run the following command:
vastool nss getnetgrent <netgroup name>
To prevent Safeguard Authentication Services from resolving netgroup data from the name service module
vastool configure vas vasd netgroup-mode
vastool unconfigure nss netgroup
vastool unconfigure irs netgroup
vastool configure nss
vastool flush netgroup
To minimize network traffic and load on Active Directory, Safeguard Authentication Services maintains a local cache of user and group data.
You can force Safeguard Authentication Services to immediately reload the cache by running the following command as root:
vastool flush
Note: When you run vastool flush the entire user and group cache database is reloaded from Active Directory. This can generate a significant amount of network traffic so use this command sparingly.
It is not uncommon for systems to generate hundreds of user and group lookup requests per second. Because of this, Safeguard Authentication Services enforces a "blackout period" during which all name service requests are resolved from the local cache. By default, the blackout period is set to 10 minutes. This means that changes to Unix account information in Active Directory may take up to 10 minutes to propagate to Safeguard Authentication Services clients.
There are two events that cause Safeguard Authentication Services to update the local cache:
You can adjust the blackout period by changing the update-interval setting in the [vasd] section of vas.conf. For an example, refer to the vas.conf man page. See Using manual pages (man pages) for information about accessing the vas.conf man page. In small installations (less than 100 hosts or less than 100 users) you can safely reduce the blackout period. In larger installations it is recommended that the blackout period remain at the default value or set to 30 minutes or 1 hour.
Regardless of the blackout period, you can reset the blackout period timer by signaling vasd with SIGHUP, using the vasd init script to restart vasd, or by executing vastool flush.
To force Safeguard Authentication Services to update the cache immediately regardless of the blackout period, run this command:
vastool flush -f {users|groups}
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center