> Does Artemis cache both successful and unsuccessful logon attempts? Yes. Otherwise, for example, a malicious client with bad credentials could flood the back-end LDAP server.
> Should we have relatively long timeout to avoid overloading LDAP servers or small timeout to avoid caching user logon failures? Your timeout really depends on your use-case. The main reason caching a failure would be problematic is if the LDAP server is updated after the user's login attempt failed and was cached. For example, if a user didn't yet exist in LDAP and someone attempted to use those credentials to log in to the broker (and failed) and then immediately after the failure an administrator created the user in LDAP. In that case that failure would be cached and would remain in the cache until it timed out (or was cleared administratively) preventing the user from logging in. > How does security-invalidation-timeout work? An entry will stay in the cache for the time specified by security-invalidation-timeout. Once the timeout elapses for that entry it will be evicted from the cache. > If user gets authentication failure, for example, user was locked out, or misconfigured LDAP server returned negative result, should it cause subsequent logon failures for security-invalidation-timeout period after user has been unlocked or LDAP server has been returned to normal operation? Yes. However, it is possible to ignore certain failures so that they are _not_ cached. See the "noCacheExceptions" setting documented here [1]. Justin [1] https://activemq.apache.org/components/artemis/documentation/latest/security.html#ldaploginmodule On Fri, Feb 16, 2024 at 3:15 AM MILOVIDOV Aleksandr <aleksandr.milovi...@raiffeisen.ru.invalid> wrote: > Hi Team, > > I would like to clarify the meaning of parameters used for authentication > and authorization in ActiveMQ Artemis: > > authentication-cache-size > security-invalidation-timeout > > Does Artemis cache both successful and unsuccessful logon attempts? Should > we have relatively long timeout to avoid overloading LDAP servers or small > timeout to avoid caching user logon failures? > How does security-invalidation-timeout work? If user gets authentication > failure, for example, user was locked out, or misconfigured LDAP server > returned negative result, should it cause subsequent logon failures for > security-invalidation-timeout period after user has been unlocked or LDAP > server has been returned to normal operation? > > -- > Best regards, > Aleksandr > > > ----------------------------------- > > This message and any attachment are confidential and may be privileged or > otherwise protected from disclosure. If you are not the intended recipient > any use, distribution, copying or disclosure is strictly prohibited. If you > have received this message in error, please notify the sender immediately > either by telephone or by e-mail and delete this message and any attachment > from your system. Correspondence via e-mail is for information purposes > only. AO Raiffeisenbank neither makes nor accepts legally binding > statements by e-mail unless otherwise agreed. > > ----------------------------------- >
