2 Replies Latest reply on Dec 10, 2015 9:16 AM by JohnDCCIU

    FMS 14 on OS X and LDAP/Active Directory Delays

    JohnDCCIU

      We run FMS on OS X and a couple of years ago we started using Active Directory authentication.  It works great, but there's a significant delay between when changes are made in the AD and when FileMaker sees them, sometimes hours.  There doesn't seem to be any set syncing time, but I can force it to sync by opening the Directory Utility (where the AD is configured) and messing around in the list of AD Groups and Users....that seems to force FMS to see the changes.

       

      This delay causes issues because when we add a new user to an AD Group to be able to access a database, we have no idea when they're actually going to be able to login.

       

      Has anyone seen this behavior and has a way to keep the syncing relatively up-to-date? 

       

      I'm not sure of the mechanism that FMS uses to query AD....is it keeping some cached list that it uses for performance reasons and so FMS is the problem because it's not updating its cache properly or frequently enough?  Or is it querying AD "live", which would lead me to believe that OS X is the place where the caching is occuring and so I need to do something at the OS level.

       

      Thanks,

      John

        • 1. Re: FMS 14 on OS X and LDAP/Active Directory Delays
          wimdecorte

          FMS itself does not cache anything, it hands the authentication request off to the OS who takes over.

           

          AD integration in OSX has always been messy and a bit of a problem child.  Perhaps there is some command line for the directory utility that can force a refresh?    

          • 2. Re: FMS 14 on OS X and LDAP/Active Directory Delays
            JohnDCCIU

            I made some progress on this, for those that want to quickly kickstart an AD info update on their OS X Server bound to an AD domain.

             

            Right now the caching time seems to default to 4 hours, which is way too long IMO.  I'm trying to find a way to make that something like 5 minutes, which will make the process essentially automatic, but in the meantime you can kickstart it this way:

            • Launch the Terminal app (from /Applications/Utilities/ or from the Dock if you keep it there)
            • Copy and paste the following command to the Terminal and hit Return (you should just get another Terminal prompt)

                           dsmemberutil flushcache


            After that, FileMaker will have updated user and group membership info.

             

            I'll update this thread once I find a way to do this automatically.  I hope to find the parameter that controls the cache timeout, but failing that, I'll be doing an AppleScript or shell script controlled by a launchdaemon that will just do a flushcache every few minutes.

             

            John