All versions of Centrify DirectControl.
By default, Centrify preserves its cache so that in disconnected mode, users can still login. Is it possible to disable the cache?
If you want to flush the local cache automatically, you can make use of the following configuration parameters inside the file /etc/centriftydc/centrifydc.conf:
1. The configuration parameter "adclient.cache.expires" specifies:
the number of seconds before an object in the DirectControl domain controller cache expires. This parameter controls how frequently the DirectControl agent checks Active Directory to see if an object in the cache has been updated. Every object retrieved from Active Directory is stamped with the system time when it enters the domain controller cache. Once an object expires, if it is needed again, the DirectControl agent contacts Active Directory to determine whether to retrieve an updated object (because the object has changed) or renew the expired object (because no changes have been made). To make this determination, the DirectControl agent checks the highestUSN for the expired object. If the value has changed, the agent retrieves the updated object. If the highestUSN has not changed, the agent resets the object’s timestamp to the new system time and retrieves the object from the cache.
If the DirectControl agent is unable to contact Active Directory to check for updates to an expired object—for example because the computer is disconnected from the network—the DirectControl agent returns the currently cached object until it can successfully contact Active Directory. The default cleanup interval is 10 minutes.
2. The configuration parameter "adclient.cache.cleanup.interval" specifies:
How often the DirectControl agent should clean up the local cache. At each cleanup interval, the DirectControl agent checks the cache for objects to be removed or expired, and at every 10th interval, the DirectControl agent rebuilds local indexes. This parameter’s value should be less than the values specified for the adclient.cache.negative.lifetime, adclient.cache.flush.interval, and adclient.cache.object.lifetime parameters. If this parameter is not defined in the configuration file, its default value is 3600 seconds (60 minutes).
3. The configuration parameter "adclient.cache.flush.interval" specifies:
How frequently to flush all objects from the DirectControl domain controller cache. The domain controller cache contains object attributes including the object’s Active Directory properties, memberships, indexes and other parameters.The parameter value must be a positive integer. Unlike the other cache management parameters, which flush objects selectively, this parameter removes all objects in the cache at the interval you specify. The default value is 0, which disables the complete flushing of the cache. For example: the following command flushes all valued in the cache every 30 minutes: adclient.cache.flush.interval: 1800 Note: Customers need to run the command #adreload command after making changes to these parameters inside the /etc/centrifydc/centrifydc.conf to apply the new settings.