Skip to content

DOCS-14837 LDAP authorization cache refresh #6179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions source/includes/LDAP-interval.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Starting in MongoDB 5.2, the update interval for cached user information
retrieved from an LDAP server depends on
:parameter:`ldapShouldRefreshUserCacheEntries`:

- If true, use :parameter:`ldapUserCacheRefreshInterval`.

- If false, use :parameter:`ldapUserCacheInvalidationInterval`.
106 changes: 106 additions & 0 deletions source/reference/parameters.txt
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,12 @@ Authentication Parameters

.. parameter:: ldapUserCacheInvalidationInterval

.. versionchanged:: 5.2

.. note::

.. include:: /includes/LDAP-interval.rst

For use with MongoDB deployments using
:ref:`security-ldap-external`. Available for :binary:`~bin.mongod`
instances only.
Expand All @@ -144,6 +150,82 @@ Authentication Parameters

Defaults to 30 seconds.

.. parameter:: ldapUserCacheRefreshInterval

.. versionadded:: 5.2

|mongod-only|

*Type*: integer

*Default*: 30 seconds

.. note::

.. include:: /includes/LDAP-interval.rst

For MongoDB deployments using :ref:`security-ldap-external`.

The interval in seconds that :binary:`~bin.mongod` waits before
refreshing the cached user information from the LDAP server.

The maximum interval is 86,400 seconds (24 hours).

For example, the following sets
:parameter:`ldapUserCacheRefreshInterval` to ``4000`` seconds:

.. code-block:: bash

mongod --setParameter ldapUserCacheRefreshInterval=4000

Or, if using the :dbcommand:`setParameter` command within
:binary:`~bin.mongosh`:

.. code-block:: javascript

db.adminCommand( { setParameter: 1, ldapUserCacheRefreshInterval: 4000 } )

.. parameter:: ldapUserCacheStalenessInterval

.. versionadded:: 5.2

|mongod-only|

*Type*: integer

*Default*: 90 seconds

For MongoDB deployments using :ref:`security-ldap-external`.

The interval in seconds that :binary:`~bin.mongod` retains the cached
LDAP user information after the last cache refresh.

If more than :parameter:`ldapUserCacheStalenessInterval` seconds
elapse without a successful refresh of the user information from the
LDAP server, then :binary:`~bin.mongod`:

- Invalidates the cached LDAP user information.

- Is unavailable for LDAP users. LDAP users are unable to
authenticate until :binary:`~bin.mongod` contacts the LDAP
server.

The maximum interval is 86,400 seconds (24 hours).

For example, the following sets
:parameter:`ldapUserCacheStalenessInterval` to ``4000`` seconds:

.. code-block:: bash

mongod --setParameter ldapUserCacheStalenessInterval=4000

Or, if using the :dbcommand:`setParameter` command within
:binary:`~bin.mongosh`:

.. code-block:: javascript

db.adminCommand( { setParameter: 1, ldapUserCacheStalenessInterval: 4000 } )

.. parameter:: ldapUseConnectionPool

.. versionadded:: 4.0.9
Expand Down Expand Up @@ -252,6 +334,30 @@ Authentication Parameters
start-up, and cannot change this setting with the
:dbcommand:`setParameter` database command.

.. parameter:: ldapShouldRefreshUserCacheEntries

.. versionadded:: 5.2

|mongod-only|

*Type*: boolean

*Default*: true

For MongoDB deployments using :ref:`security-ldap-external`.

.. include:: /includes/LDAP-interval.rst

You can only set :parameter:`ldapShouldRefreshUserCacheEntries`
during startup in the :setting:`configuration file <setParameter>` or
with the ``--setParameter`` option on the command line. For example,
the following disables
:parameter:`ldapShouldRefreshUserCacheEntries`:

.. code-block:: bash

mongod --setParameter ldapShouldRefreshUserCacheEntries=false

.. parameter:: maxValidateMemoryUsageMB

.. versionadded:: 5.0
Expand Down
12 changes: 12 additions & 0 deletions source/release-notes/5.2.txt
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,18 @@ Change Streams
General Improvements
--------------------

Configure Refresh Interval for Cached LDAP User Information
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting in MongoDB 5.2, you can use the following new server parameters
to configure the refresh interval for cached LDAP user information:

- :parameter:`ldapUserCacheRefreshInterval`
- :parameter:`ldapUserCacheStalenessInterval`
- :parameter:`ldapShouldRefreshUserCacheEntries`

.. include:: /includes/LDAP-interval.rst

Time Series Collection Data Compression
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down