Hi Justin, Thanks! I have configured LDAP authentication several months ago and forgot about noCacheExceptions option. I will try to add exceptions and check how it works.
-- Best regards, Aleksandr -----Original Message----- From: Justin Bertram <jbert...@apache.org> Sent: Friday, February 16, 2024 6:00 PM To: users@activemq.apache.org Subject: Re: Authentication cache in Artemis > Does Artemis cache both successful and unsuccessful logon attempts? Yes. Otherwise, for example, a malicious client with bad credentials could flood the back-end LDAP server. > Should we have relatively long timeout to avoid overloading LDAP > servers or small timeout to avoid caching user logon failures? Your timeout really depends on your use-case. The main reason caching a failure would be problematic is if the LDAP server is updated after the user's login attempt failed and was cached. For example, if a user didn't yet exist in LDAP and someone attempted to use those credentials to log in to the broker (and failed) and then immediately after the failure an administrator created the user in LDAP. In that case that failure would be cached and would remain in the cache until it timed out (or was cleared administratively) preventing the user from logging in. > How does security-invalidation-timeout work? An entry will stay in the cache for the time specified by security-invalidation-timeout. Once the timeout elapses for that entry it will be evicted from the cache. > If user gets authentication failure, for example, user was locked out, > or misconfigured LDAP server returned negative result, should it cause subsequent logon failures for security-invalidation-timeout period after user has been unlocked or LDAP server has been returned to normal operation? Yes. However, it is possible to ignore certain failures so that they are _not_ cached. See the "noCacheExceptions" setting documented here [1]. Justin [1] https://activemq.apache.org/components/artemis/documentation/latest/security.html#ldaploginmodule On Fri, Feb 16, 2024 at 3:15 AM MILOVIDOV Aleksandr <aleksandr.milovi...@raiffeisen.ru.invalid> wrote: > Hi Team, > > I would like to clarify the meaning of parameters used for > authentication and authorization in ActiveMQ Artemis: > > authentication-cache-size > security-invalidation-timeout > > Does Artemis cache both successful and unsuccessful logon attempts? > Should we have relatively long timeout to avoid overloading LDAP > servers or small timeout to avoid caching user logon failures? > How does security-invalidation-timeout work? If user gets > authentication failure, for example, user was locked out, or > misconfigured LDAP server returned negative result, should it cause > subsequent logon failures for security-invalidation-timeout period > after user has been unlocked or LDAP server has been returned to normal > operation? > > -- > Best regards, > Aleksandr > > > ----------------------------------- > > This message and any attachment are confidential and may be privileged > or otherwise protected from disclosure. If you are not the intended > recipient any use, distribution, copying or disclosure is strictly > prohibited. If you have received this message in error, please notify > the sender immediately either by telephone or by e-mail and delete > this message and any attachment from your system. Correspondence via > e-mail is for information purposes only. AO Raiffeisenbank neither > makes nor accepts legally binding statements by e-mail unless otherwise > agreed. > > ----------------------------------- > ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. AO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. -----------------------------------
