[SERVER-47819] Add option to cache LDAP authentication credentials for native LDAP Created: 28/Apr/20  Updated: 10/Jan/24

Status: Backlog
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Nic Cottrell Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Assigned Teams:
Server Security
Participants:
Case:

 Description   

When configuring LDAP authentication via saslauthd, the local saslauthd daemon can be configured to cache credentials in memory (default 8 hours).

When using native LDAP authentication (which uses libldap) there is currently no caching of authentication. This means that every new connection with $external authentication for LDAP requires a roundtrip to the LDAP server. If an application is not pooling connections correctly, this can create considerable load on the LDAP server.

Let's add a configuration parameter to configure the duration for caching user/passwords for native LDAP.

Note that the parameter ldapUserCacheInvalidationInterval controls caching for LDAP authorization (i.e. group membership) and not password authentication.


Generated at Thu Feb 08 05:15:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.