ldap cache disabled by default

[t1]

We are developing several services based on Quarkus, but as our IAM infrastructure is currently mainly based on LDAP, we cannot yet use OIDC, etc. I understand that LDAP support is not en vogue anymore, so support is minimalistic, e.g. there is no dev service. That's okay for us.

We experienced some performance and reliability issues, and when we compared the times that the access log and our application logs reported, there was a difference of ~150ms. It took us quite a while to understand that LDAP was the cause. Every request was validated with the LDAP server, which is an extra roundtrip and sometimes caused errors, as the default for quarkus.security.ldap.cache.enabled is false. As Quarkus normally has the most common and useful settings as a default, this came to a complete surprise to us. Isn't this the normal behavior for any LDAP client authentication? Could this be changed in a future release. I suppose everybody using LDAP in Quarkus has set it to true. And if not: This should be clearly stated in the Guide, don't you think?

[gsmet]

/cc @sberyozkin @michalvavrik

I really don't know. Adding the cache could be seen as a specific tuning and something you should be aware of - because then you introduce a delay between your LDAP changes and when they are taken into account.
And also you need to configure the cache to something that is acceptable for you.

Now, adding something to the documentation is always welcome and if you can find a good place for a section about it (it could be a NOTE/TIP), feel free to open a pull request.

[michalvavrik]

I think Guillaume arguments are good. I think making sensible defaults is good, but when it comes to security you need to know that your authorization may not be up to date and you should configure expiration accordingly. Judging by this https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html-single/securing_applications_and_management_interfaces_using_multiple_identity_stores/index#con_caching-realm-in-elytron_default :

• some features are not supported for the caching realm like Active Directory
• ldap realm supports listening to changes in the LDAP server, but attributes like roles are not cleared and we do map roles attributes to SecurityIdentity and we don't support clearing the caching realm cache

I'd prefer to improve documentation, I can see that PR which introduced caching didn't document this 4dc83f9#diff-536222a00f1e17a090ff0327620053fa1db46827f4491350fa42809c80243a67, so I made mistake as a reviewer. Would you like to contribute to documentation, please @t1 ?

As for dev services and general attention to LDAP, we usually work on what we see users use and I hardly ever read some issues or questions opened about it, so we just put work when users need it. You could contribute if you would like to improve LDAP support.

[sberyozkin]

Improving docs makes sense