NEXUS-13483 re-introduced LDAP user cache timeout to NXRM 3.
The default authenticated LDAP realm user cache timeout was set to 2 minutes. We have lost the exact context as to why 2 minutes was chosen.
The cache timeout can only be changed by setting a NXRM property inside nexus.properties:
You can use seconds, minutes, hours, or days as units (5s, 7m, 9h, 11d).
NXRM 2 has a default LDAP user cache timeout of 10 minutes ( 600 seconds ).
Support has noticed that we need to tell customers using NXRM 3 about the property and diagnose for them that it must be increased to avoid problems they see when set too low.
Impacts noticed from having a too low cache timeout:
- concurrent requests for the same user ( builds, especially using tools like docker ) arriving all at the same time triggering concurrent outbound LDAP queries looking up a user record - some work - adding the user into the LDAP user cache - but others fail because their queries have already started and do not re-check the user cache
- slow responding ldap servers can cause builds to fail due to client retry attempts - the more frequently a use record is purged, the more likely builds using a shared userid will encounter problems
Increase the default LDAP user cache timeout from 2 minutes to 10 minutes. 10 minutes is suggested because this is what NXRM 2 has had for years. Possibly consider an even higher value given the nature of certain tooling like docker / gradle sending concurrent requests as the same user.