Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

LDAP Sync and optimization parameters

Avatar

Former Community Member

Hi,

We are doing some testing and it looks like anything done within the JCR user related is syncing with LDAP on every request or so. 

Our ldap_login.conf file is as below:

com.day.crx {
    com.day.crx.core.CRXLoginModule sufficient
        tokenExpiration="9999999"
        disableNTLMAuth="true";

    com.day.crx.security.ldap.LDAPLoginModule required
        principal_provider.class="com.day.crx.security.ldap.principals.LDAPPrincipalProvider"
        disableNTLMAuth="true"

and we are using cookie based SSO authentication. Based on the above conf file, i assumed that CQ will only sync with ldap if the user isn't found in its cache otherwise, it will use the CRXLoginModule to sync . How exactly is the cache maintained? If a new user logs into the app and maximum number of users are already cached will it replace one of the users?

1) Should we get rid of NTLM auth param?

We are looking at the optimization parameters as well

2) cacheMaxSize is by default set to 1000 what? 1000 byte/KB?

3) 

         
cache.expirationThe interval, in seconds, for which a principal is cached

 does this mean that even if the cache size is full the user won't be dumped out of the cache until the expiration time for the user is reached and other users are using the system.

LDAP is a very central process of our app and we are using it on publishers.

1 Accepted Solution

Avatar

Correct answer by
Level 10

there is no limitation as such. N number of user can login & no one will be dumped out.  When cache is filled aem reaches to ldap for authentication instead of checking in cache.

It is size & not byte that is 1000 prinicpals.

 

http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html

View solution in original post

3 Replies

Avatar

Correct answer by
Level 10

there is no limitation as such. N number of user can login & no one will be dumped out.  When cache is filled aem reaches to ldap for authentication instead of checking in cache.

It is size & not byte that is 1000 prinicpals.

 

http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html

Avatar

Former Community Member

Sham HC wrote...

there is no limitation as such. N number of user can login & no one will be dumped out.  When cache is filled aem reaches to ldap for authentication instead of checking in cache.

It is size & not byte that is 1000 prinicpals.

 

http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/ldap_authentication.html

 

 

Hi Sham,

Thanks for your reply. There are two similar attributes.

     
cache.maxsizeThe number of principals that CRX caches. The default is 1000.
     
cacheMaxSize

The maximum size of the cache in total. The default is 1000.

Can be set to the number of users for best efficiency.

I was talking about the latter. As you are saying that when cache is filled up aem reaches ldap for authentication, will it do it for every user or user in the cache will be served out of the cache?

Avatar

Level 10

refer [1] for accurate information.  cacheMaxSize is for principal cache where as cache.maxsize for credentials cache.

User in cache will be served from cache till the expire.

[1]  http://docs.adobe.com/docs/en/cq/current/core/administering/ldap_authentication.html