Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-65509

Make LDAP user cache refresher respect ldapUserCacheStalenessInterval

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • Server Security
    • ALL

    Description

      The LDAP background refresher thread refreshes cached LDAP users every ldapUserCacheRefreshInterval seconds. It retains stale users for up to ldapUserCacheStalenessInterval after the last successful refresh before invalidating the cached entries. However, the refresh job currently only checks whether the staleness interval has expired at the end of each failed refresh. As a result, the maximum staleness interval in practice is ldapUserCacheStalenessInterval + ldapUserCacheRefreshInterval. In addition, mongos invalidates its cache every userCacheInvalidationIntervalSecs, meaning that mongos may hold onto cached, unrefreshed LDAP users for up to userCacheInvalidationIntervalSecs + ldapUserCacheStalenessInterval + ldapUserCacheRefreshInterval.

      We should update the background refresh job's frequency to ensure that the configured maximum staleness interval is actually obeyed as configured.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            varun.ravichandran@mongodb.com Varun Ravichandran
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: