cache for LDAP look-ups on token requests to ArcGIS Server

01-09-2014 11:03 AM
Status: Open
New Contributor III
Every request to ArcGIS Server for a secured map service results in a query to LDAP. This is causing millions of lookup queries to go to our LDAP and periodically crashing it. 

We have several web and mobile applications that all use 3 different tokens, and this accounts for about 90% of our map service traffic. Very few requests come in from individual user accounts. ArcGIS Server reads the token, figures out which user it is for, and sends a query to LDAP to see what roles the user has. It is asking LDAP the same question for the same user multiple times per second. 

Suggestion: Make a setting for how long to store LDAP lookups in a cache and perhaps another setting for how many LDAP queries to hold in the cache. 

We add and remove users from time to time, so a cache solution shouldn't require us to restart ArcGIS Server. We rarely change the roles a user has, so that could be cached for a longer time. If I could make ArcGIS Server cache the role lookup for even just 10 minutes, I estimate that would eliminate the need for 99.92% (I did the math) of our LDAP lookups. 

I was told by tech support (incident 122519) that this may be possible in a web tier auth, but he also said this was something we'd have to figure out on our own and is not supported. 
Side note, this would also help in the use case where your LDAP server is not on your local network. It is slower, but possible, to connect to an LDAP running elsewhere (e.g.: a cloud app authenticating back to the mothership LDAP running in the corporate office). The first connection would be slower, since it is over the Internet instead of the LAN, but then things would speed up. 

Setting the value of this parameter to zero should disable this behaviour.