Saturday, 12 June 2021

[ONTAP] Comparing LDAP Group Memberships on LDAP Server with ONTAP Cache

If you've added a new LDAP group membership to a user, but the user still cannot access the resources permissioned by that LDAP group, it's very likely that the cache on ONTAP is stale and needs to be cleared.

You can see the LDAP group memberships for the user - as on the LDAP server - using this clustershell command:

set adv
vserver services name-server getxxbyyy getgrlist -node NODE -vserver SVMNAME -username USERNAME

Then to see what is in ONTAP's cache, run this command:

vserver services name-server getxxbyyy getgrlist -node NODE -vserver SVMNAME -username USERNAME -use-cache true

If the group memberships as recorded in cache are not matching what is on the LDAP server, then to delete the cached group membership for the user:

vserver services name-service cache group-membership show -vserver SVMNAME -user USERNAME
vserver services name-service cache group-membership delete -vserver SVMNAME -user USERNAME -group GID





No comments:

Post a Comment

Note: only a member of this blog may post a comment.