Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-23626

increase default LDAP authenticated user cache timeout from 2 minutes to 10 minutes

    Details

    • Release Note:
      Yes
    • Notability:
      n/a

      Description

      NEXUS-13483 re-introduced LDAP user cache timeout to NXRM 3.

      The default authenticated LDAP realm user cache timeout was set to 2 minutes. We have lost the exact context as to why 2 minutes was chosen.

      The cache timeout can only be changed by setting a NXRM property inside nexus.properties:

      Example setting the LDAP user cache timeout to 30 minutes
      nexus.ldap.cache.user.timeToLive=30m
      

      You can use seconds, minutes, hours, or days as units (5s, 7m, 9h, 11d).

      NXRM 2 has a default LDAP user cache timeout of 10 minutes ( 600 seconds ).

      Support has noticed that we need to tell customers using NXRM 3 about the property and diagnose for them that it must be increased to avoid problems they see when set too low.

      Impacts noticed from having a too low cache timeout:

      • concurrent requests for the same user ( builds, especially using tools like docker ) arriving all at the same time triggering concurrent outbound LDAP queries looking up a user record - some work - adding the user into the LDAP user cache - but others fail because their queries have already started and do not re-check the user cache
      • slow responding ldap servers can cause builds to fail due to client retry attempts - the more frequently a use record is purged, the more likely builds using a shared userid will encounter problems

      Expected

      Increase the default LDAP user cache timeout from 2 minutes to 10 minutes. 10 minutes is suggested because this is what NXRM 2 has had for years. Possibly consider an even higher value given the nature of certain tooling like docker / gradle sending concurrent requests as the same user.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mkalachov Maksym Kalachov [X] (Inactive)
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Prescott Michael Prescott
              Team:
              NXRM - Rocket Raccoon
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title