HOW TO: Tune Active Directory Synchronization interval in Encryption Management Server

book

Article ID: 156743

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

Changes in Active Directory group membership are not reflected in Encryption Management Server until hours after the change has been made. This has to do with Active Directory Optimization.

Cause

The Active Directory update frequency is set to 21,600 seconds(6 hours) by default, and might be disabled initially.

Environment

  • PGP Universal Server 3.0 and above.
  • Encryption Management Server 3.3 and above.

Resolution

Encryption Management Server can be configured to lookup information with LDAP servers such as Active Directory or Novell eDirectory. The information in this article related specifically to Active Directory synchronization routines, other directory servers use a different mechanism.  Various attributes related to a user are pulled from the directory server, including the DN for the user entry. The information can be synchronized with Active Directory periodically per settings on the Encryption Management Server to ensure that the most up-to-date information is available. This update frequency has been set at 21,600 seconds (6 hours) by default when this synchronization is enabled.

IMPORTANT NOTE:
The information below is for documentation and Technical Support reference.  Changing settings on the Encryption Management Server is not supported and changes the supportability of your installation to “Best Effort”. Changes made through the command line may not persist through reboots and may be incompatible with future releases. Symantec Technical Support may also require reverting any custom configurations on the Encryption Management Server back to a default state when troubleshooting new issues.
Any changes made to the Encryption Management Server via the command line must be: 
  • Authorized in writing by Symantec Technical Support or published as an approved and documented process on the Symantec Knowledge Base.
  • Implemented by a Symantec Partner, reseller or Symantec Technical Support.
  • Summarized and documented in a text file in /var/lib/ovid/customization on the Encryption Management Server itself.
To change this setting, edit the following file:
/etc/ovid/prefs.xml
·         Change the group-membership-optimization setting to “true”
·         Set group-membership-sync-interval to a value in seconds between 60 – 172800.
These are located in the groupd section:
 
 
After editing the preferences file, changes will not take effect until the pgpgroupd service is restarted.  This can be accomplished with the command:  pgpsysconf --restart pgpgroupd
Note: If these groupd settings are not in the /etc/ovid/prefs.xml file you can locate them in the /etc/ovid/prefs.xml.rpmnew. You will need to copy the entire entry from <groupd> to the end <groupd/> over to the prefs.xml and then follow the steps documented in this KB.

Attachments