[SERVER-52940] Improve ldapUserCacheInvalidationInterval behaviour Created: 19/Nov/20  Updated: 06/Dec/22  Resolved: 05/Oct/21

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Ivan Grigolon Assignee: Backlog - Security Team
Resolution: Won't Fix Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-59148 LDAP Authorization cache refresh Closed
Assigned Teams:
Server Security
Participants:
Case:

 Description   

ldapUserCacheInvalidationInterval clear the cache for all users at the same time.

2020-11-18T16:06:25.608+1100 D1 ACCESS   [LDAPUserCacheInvalidator] Invalidating user cache entries of external users
2020-11-18T16:06:25.608+1100 D2 ACCESS   [LDAPUserCacheInvalidator] Invalidating all users from database $external
...
2020-11-18T16:06:55.608+1100 D1 ACCESS   [LDAPUserCacheInvalidator] Invalidating user cache entries of external users
2020-11-18T16:06:55.609+1100 D2 ACCESS   [LDAPUserCacheInvalidator] Invalidating all users from database $external

Can we improve this to invalidate the autorized-connections after n seconds have passed instead? (where n = ldapUserCacheInvalidationInterval)

If a user was authorized just before the the cache was invalidated, this will cause an unnecessary ldap call shortly after (on top of risking accumulating all these requests at once)



 Comments   
Comment by Mark Benvenuto [ 05/Oct/21 ]

We removed the ldap invalidation behavior in 5.1. It now refreshes the cache.

Generated at Thu Feb 08 05:29:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.