[SERVER-65509] Make LDAP user cache refresher respect ldapUserCacheStalenessInterval Created: 12/Apr/22  Updated: 05/Dec/22

Status: Backlog
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Operating System: ALL
Participants:

 Description   

The LDAP background refresher thread refreshes cached LDAP users every ldapUserCacheRefreshInterval seconds. It retains stale users for up to ldapUserCacheStalenessInterval after the last successful refresh before invalidating the cached entries. However, the refresh job currently only checks whether the staleness interval has expired at the end of each failed refresh. As a result, the maximum staleness interval in practice is ldapUserCacheStalenessInterval + ldapUserCacheRefreshInterval. In addition, mongos invalidates its cache every userCacheInvalidationIntervalSecs, meaning that mongos may hold onto cached, unrefreshed LDAP users for up to userCacheInvalidationIntervalSecs + ldapUserCacheStalenessInterval + ldapUserCacheRefreshInterval.

We should update the background refresh job's frequency to ensure that the configured maximum staleness interval is actually obeyed as configured.


Generated at Thu Feb 08 06:02:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.