Update delay?

[Nico Kobes]

When I change the group of a person in LDAP of snow leopard server, the changes don't work in Filemaker Server 11 Advanced.

It looks like there is a very long delay, after a few hours it works finaly.

[Steven H. Blackwell]

It is possible you're not making the change in the correct place? Is this on an Open Directory Domain Controller or on the FileMaker Server itself?

BTW, the LDAP setting has nothing to do with External Server Authentication.

Steven

[Dave Graham]

I think it might be more accurate to say that changes made in Open Directory do not immediately take effect for externally authenticated FileMaker clients; at least in certain configurations. I've run into this before and again just now and it appears to be a caching issue. What is weird though is that password changes in OD take effect instantly for externally authenticated clients, but group changes do not. I tried flushing the Directory Services cache on both the FMS and the OD master to no avail. Restarting OD similarly has no effect. The only thing I've found that does force the change to take affect immediately is to rebind the FMS machine.

It might only happen when FMS is installed on a different computer than the OD master. I'm going to test a single server and Win deployment to see if it makes a difference.

- dg

[Ocean West]

I believe this is the location to connect FMS to an OD server

[Dave Graham]

I believe this is the location to connect FMS to an OD server

That is correct for 10.6. For 10.5 it's Directory Utility in Applications > Utilities.

Rebinding (i.e., delete current bound OD server and bind again) is what forces externally authenticated clients to recognize group changes immediately.

Stephen: I know we ran into this at one of our clients. Did you ever find a better solution?

- dg

[Ocean West]

sadly no - users log in with a temp account for the day - or they have to have their account & group established the day before they gain access to the system.

[Dave Graham]

sadly no - users log in with a temp account for the day - or they have to have their account & group established the day before they gain access to the system.

Bummer. I just tested at a client with FMS installed on the OD server and it's the same story. It turns out that it only affects Open Directory. In AD environments FileMaker clients authenticate properly immediately after a group change. Time to submit this as a bug.

- dg

[Wim Decorte]

On Windows there is a command-line command to force an update/propagation. I would very much suprise me if there no such thing on OSX...

[Dave Graham]

On Windows there is a command-line command to force an update/propagation. I would very much suprise me if there no such thing on OSX...

Me too. I expected it to be the dscacheutil (Directory Services Cache Utility).

I ran sudo dscacheutil -flushcache but it didn't do it. There must be another place that groups are cached but I don't know where to look. I'll try poking around some tonight.

- dg