User Cache Lookup Improvements
CTE has added a feature to improve the performance of the user cache lookup function, which contains information such as username and group name(s), plus timestamps and other supporting flags. It is mainly used during LDAP authentication. This feature improves lookup performance by allowing user-configurable values for lookup retries and user information refresh times. Performance can be impacted if authentication/ user lookups and timeout/ retries take a significant amount of time. Previously, these values were hard-coded. Now they are user-configurable.
The configuration options for this feature contain three new configuration parameters:
Initial cache miss
Initial check of access when no user information cache entry exists.
- Default value: 60 seconds
- Default minimum: 2 seconds
- Default maximum: 3600 seconds (1 hour)
To set this value, type:
voradmin secfs config usrinf_miss_timeout <seconds>
Cache expiration timeout
Used when user information cache entry has not been used for the duration needed to trigger a refresh.
- Default value: 300 seconds (5 minutes)
- Default minimum: 60 seconds
- Default maximum: 86400 seconds (1 day)
To set this value, type:
voradmin secfs config usrinf_expiry_timeout <seconds>
Cache stale timeout
When a cache entry has not been updated for the duration of the timeout, the entry will be considered inactive and removed.
- Default value: 300 seconds (5 minutes)
- Default minimum: 60 seconds
- Default maximum: 86400 seconds (1 day)
To set this value, type:
voradmin secfs config usrinf_stale_timeout <seconds>
Usage
CTE uses the default values initially. If network errors occur and LDAP failure is observed (in system logs, look for timeout errors), then you have two options:
-
If the network errors can be corrected in a short time, then the timeout values can remain unchanged.
-
If not, set the expiration and stale timeout to large values. Then, reduce the initial timeout incrementally until the problem resolves.
Note
CTE must be restarted when a new timeout value is set, in order for the value to take effect.
Keep the new value until the problem is resolved. Then, once the network problems have been fixed, reset the timeout values back to the initial values.