Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-16192

Investigate changes in SERVER-77005: Leave LDAP users logged-in during LDAP downtime

      Original Downstream Change Summary

      The docs for ldapUserCacheStalenessInterval state that "if more than ldapUserCacheStalenessInterval seconds elapse without a successful refresh of the user information from the LDAP server, then mongod:
      1. Invalidates the cached LDAP user information
      2. Is unavailable for LDAP users. LDAP users are unable to authenticate until mongod contacts the LDAP server"

      After this change, we should change the second bullet point to the following:
      2. Unauthenticated connections are unable to authenticate as LDAP users until mongod contacts the LDAP server. However, connections previously authenticated as LDAP users remain authorized with mongod's last-known privileges from the LDAP server until it is able to contact the LDAP server and start refreshing up-to-date information again.

      Description of Linked Ticket

      Connections which have already been authenticated as LDAP users should remain authenticated and capable of issuing operations with their last-known privileges during LDAP server downtime, provided that the privileges are updated as soon as the LDAP server comes back up.

            jason.price@mongodb.com Jason Price
            backlog-server-pm Backlog - Core Eng Program Management Team
            0 Vote for this issue
            3 Start watching this issue

              1 year, 5 weeks, 3 days ago