The MLDAP ESM Module's LDAP search-result caching feature is enabled by setting positive values for the
Cache Limit and
Cache TTL configuration parameters in the Security Manager definition.
Note: The Micro Focus sample security manager definitions, and those created new using the administration user interfaces, typically
have positive settings for the cache parameters. This means caching will be enabled in many existing configurations, and will
be enabled by default in new ones. Set the cache limit and/or cache TTL to 0 to disable caching.
Each MLDAP ESM Module cache is private to that Security Manager and process. Caches are only shared between threads running
in a single process.
How the cache is used
The MLDAP ESM Module makes use of the LDAP cache while processing two types of ESF requests: Verify (authenticate a user)
and Auth (authorize access to a resource). Other requests, such as ESF Admin, bypass the cache. Also, certain special search
operations do not use the cache; these include the ones used to query the LDAP schema, check whether an optional resource
class is defined, or check whether a session with the LDAP server is still valid.
LDAP search results which may be cached include information about user, group, and resource access control rule objects.
Search results are stored in
cache entries along with related metadata such as the time the entry was created, when it was last used, and how often it has been used.
Each entry has a key which includes all of the relevant data for the LDAP search, to ensure that a cached result is returned
only for an identical search request.
Cache eviction
It is useful to understand when and why entries are evicted (removed) from the cache. There are four causes of eviction:
- Expiration: An entry reaches the end of its lifetime. This is the period specified by the
Cache TTL (Time To Live) in the Security Manager configuration.
- Early eviction: When the MLDAP ESM Module has a new search result to cache, if there is not enough room remaining in the cache
(after evicting expired entries), it may remove the
least-recently used entry to make more room. (This is also known as LRU eviction.) The least-recently used entry is the one which has gone the
longest time without being returned from the cache. The principle behind LRU eviction is that an entry which is used infrequently
is not very valuable.
- Staleness: Sometimes the MLDAP ESM Module modifies an object in the LDAP repository. The module knows that modification means
any cached information about that object is now out of date, or "stale". For example, when a Verify request includes a (successful)
password change, then the search result for that user becomes stale. In such a case the module marks the corresponding cache
entry as stale. Stale entries are not returned from the cache and are evicted when they are no longer in use.
- Flushing: The ESF Update feature is used to notify ESF that security data has been updated. When an Update request is processed
by the MLDAP ESM Module, it will flush the cache, evicting all the entries in it.
Cache information
When a process terminates ESF (usually while shutting down), the MLDAP ESM Module will log message 1095 with information
about the performance of the cache.
There is also an optional cache tracing configuration setting. This will produce extensive information about cache activity,
so it should be used with care. See
MLDAP ESM Module Custom Configuration Information.