|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
adiavr@gmail.com
Guest
|
 Posted: Fri Aug 31, 2007 12:29 am Post subject: Group membership updates in LDAP |
 |
|
We have several DC's in our organization in multiple sites. In one
site, we use an application that authenticates users based on their
group membership, using LDAP (e.g. checking if johndoe is part of the
Developers group).
When adding or removing an user from the group, there is a significant
delay before the updated group membership is shown in the LDAP
directory of this site's DC. I've used the Softerra LDAP Browser to
check group membership and it takes more than 30 mins before the
updated member list is replicated. Password changes are almost instant
though.
I've had to point the LDAP server setting in our application to the
Operations Master DC which is in a different site as a workaround.
However I would like to have it point to local DC for performance and
reliability.
Why does group membership take so long to propagate in LDAP? |
|
| Back to top |
|
 |
|
|
adiavr@gmail.com
Guest
|
| Posted: Fri Aug 31, 2007 12:29 am Post subject: Re: Group membership updates in LDAP |
|
|
The DC in our site is linked with both DC's from the primary site. One
of them is a GC for that site and the other one operations master.
On Aug 30, 2:53 pm, "Mathieu CHATEAU" <gollum...@free.fr> wrote:
| Quote: | Hello,
DC replication occurs every 10 minutes per default.
What is your replication topology ?
Is your operation master fsmo role not on a global catalog ? (it wouldn't)
--
Cordialement,
Mathieu CHATEAUhttp://lordoftheping.blogspot.com
adi...@gmail.com> wrote in message
news:1188510623.291592.317910@r23g2000prd.googlegroups.com...
We have several DC's in our organization in multiple sites. In one
site, we use an application that authenticates users based on their
group membership, using LDAP (e.g. checking if johndoe is part of the
Developers group).
When adding or removing an user from the group, there is a significant
delay before the updated group membership is shown in the LDAP
directory of this site's DC. I've used the Softerra LDAP Browser to
check group membership and it takes more than 30 mins before the
updated member list is replicated. Password changes are almost instant
though.
I've had to point the LDAP server setting in our application to the
Operations Master DC which is in a different site as a workaround.
However I would like to have it point to local DC for performance and
reliability.
Why does group membership take so long to propagate in LDAP? |
|
|
| Back to top |
|
|
Mathieu CHATEAU
Guest
|
| Posted: Fri Aug 31, 2007 12:29 am Post subject: Re: Group membership updates in LDAP |
|
|
Hello,
DC replication occurs every 10 minutes per default.
What is your replication topology ?
Is your operation master fsmo role not on a global catalog ? (it wouldn't)
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
<adiavr@gmail.com> wrote in message
news:1188510623.291592.317910@r23g2000prd.googlegroups.com...
| Quote: | We have several DC's in our organization in multiple sites. In one
site, we use an application that authenticates users based on their
group membership, using LDAP (e.g. checking if johndoe is part of the
Developers group).
When adding or removing an user from the group, there is a significant
delay before the updated group membership is shown in the LDAP
directory of this site's DC. I've used the Softerra LDAP Browser to
check group membership and it takes more than 30 mins before the
updated member list is replicated. Password changes are almost instant
though.
I've had to point the LDAP server setting in our application to the
Operations Master DC which is in a different site as a workaround.
However I would like to have it point to local DC for performance and
reliability.
Why does group membership take so long to propagate in LDAP?
|
|
|
| Back to top |
|
|
|
|
