From 15083d0a5a359a31d3a9a312df20199469d55833 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 09:52:04 +0530
Subject: [PATCH 01/31] LDAP_parameters_PSMDB
---
docs/ldap-parameters.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 2fac8e064..c291613ec 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -33,3 +33,17 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapQueryUser` | optional | Distinguished Name (DN) of the user used to perform LDAP queries. |
| `ldapQueryPassword` | optional | Password for the query user. |
+## Connection pool management parameters
+
+These parameters control how MongoDB maintains its pool of connections to the LDAP server.
+
+
+| Parameter | Required | Description |
+| ------------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| `ldapUseConnectionPool` | No | Enables/disables connection pooling. Default is OS dependent: `true` on Windows and specific Linux builds using `libldap_r`. |
+| `ldapConnectionPoolHostRefreshIntervalMillis` | No | Frequency (in ms) of health checks for pooled connections. Default: `60000`. *(This parameter can be applied only when PSMDB starts.)* |
+| `ldapConnectionPoolIdleHostTimeoutSecs` | No | Seconds a pooled connection can remain idle before being closed. Default: `300`. *(This parameter can be applied only when PSMDB starts.)* |
+| `ldapConnectionPoolMinimumConnectionsPerHost` | No | Minimum number of connections to maintain per LDAP host. Default: `1`. *(This parameter can be applied only when PSMDB starts.)* |
+| `ldapConnectionPoolMaximumConnectionsPerHost` | No | Maximum number of open connections per LDAP host. Default: `2147483647`. *(This parameter can be applied only when PSMDB starts.)* |
+| `ldapConnectionPoolMaximumConnectionsInProgressPerHost` | No | Limits concurrent “in-progress” connection attempts per host to prevent spikes. Default: `2`. *(This parameter can be applied only when PSMDB starts.)* |
+| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `TRUE`. *(This parameter can be applied only when PSMDB starts.)* |
From 37b19ff384af6aa1a17b7b159238dc219b75feb4 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 10:01:46 +0530
Subject: [PATCH 02/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index c291613ec..366d9cdd9 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -38,12 +38,17 @@ The cache is automatically invalidated when any of the following parameters chan
These parameters control how MongoDB maintains its pool of connections to the LDAP server.
+!!! info "Important"
+ All Connection Pool parameters except `ldapUseConnectionPool` can be set at **startup only**. They must be defined in the configuration file or via `--setParameter` at launch and cannot be changed via `db.adminCommand()` while the instance is running.
+
+
| Parameter | Required | Description |
| ------------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------- |
| `ldapUseConnectionPool` | No | Enables/disables connection pooling. Default is OS dependent: `true` on Windows and specific Linux builds using `libldap_r`. |
-| `ldapConnectionPoolHostRefreshIntervalMillis` | No | Frequency (in ms) of health checks for pooled connections. Default: `60000`. *(This parameter can be applied only when PSMDB starts.)* |
-| `ldapConnectionPoolIdleHostTimeoutSecs` | No | Seconds a pooled connection can remain idle before being closed. Default: `300`. *(This parameter can be applied only when PSMDB starts.)* |
-| `ldapConnectionPoolMinimumConnectionsPerHost` | No | Minimum number of connections to maintain per LDAP host. Default: `1`. *(This parameter can be applied only when PSMDB starts.)* |
-| `ldapConnectionPoolMaximumConnectionsPerHost` | No | Maximum number of open connections per LDAP host. Default: `2147483647`. *(This parameter can be applied only when PSMDB starts.)* |
-| `ldapConnectionPoolMaximumConnectionsInProgressPerHost` | No | Limits concurrent “in-progress” connection attempts per host to prevent spikes. Default: `2`. *(This parameter can be applied only when PSMDB starts.)* |
-| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `TRUE`. *(This parameter can be applied only when PSMDB starts.)* |
+| `ldapConnectionPoolHostRefreshIntervalMillis` | No | Frequency (in ms) of health checks for pooled connections. Default: `60000`. |
+| `ldapConnectionPoolIdleHostTimeoutSecs` | No | Seconds a pooled connection can remain idle before being closed. Default: `300`. |
+| `ldapConnectionPoolMinimumConnectionsPerHost` | No | Minimum number of connections to maintain per LDAP host. Default: `1`. |
+| `ldapConnectionPoolMaximumConnectionsPerHost` | No | Maximum number of open connections per LDAP host. Default: `2147483647`. |
+| `ldapConnectionPoolMaximumConnectionsInProgressPerHost` | No | Limits concurrent **in-progress** connection attempts per host to prevent spikes. Default: `2`. |
+| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `TRUE`. |
+
From ba378a2e1b09196c68d2cca4089cb74b2d8bde5c Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 10:04:36 +0530
Subject: [PATCH 03/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 366d9cdd9..da10b5bde 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -52,3 +52,17 @@ These parameters control how MongoDB maintains its pool of connections to the LD
| `ldapConnectionPoolMaximumConnectionsInProgressPerHost` | No | Limits concurrent **in-progress** connection attempts per host to prevent spikes. Default: `2`. |
| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `TRUE`. |
+??? example "Config file"
+ ```sh
+ # Sample MongoDB Configuration File (LDAP Section)
+ security:
+ authorization: enabled
+ ldap:
+ mode: authzAndAuthn
+ # --- Connection Pool Settings (Startup Only) ---
+ ldapUseConnectionPool: true
+ ldapForceMultiThreadMode: true
+ ldapConnectionPoolMinimumConnectionsPerHost: 5
+ ldapConnectionPoolMaximumConnectionsPerHost: 100
+ ldapConnectionPoolIdleHostTimeoutSecs: 600
+ ```
\ No newline at end of file
From fbd3c42f9119349c6d269728f75424885d14fe3f Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 10:09:44 +0530
Subject: [PATCH 04/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index da10b5bde..f56c3b397 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -52,17 +52,16 @@ These parameters control how MongoDB maintains its pool of connections to the LD
| `ldapConnectionPoolMaximumConnectionsInProgressPerHost` | No | Limits concurrent **in-progress** connection attempts per host to prevent spikes. Default: `2`. |
| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `TRUE`. |
-??? example "Config file"
+??? example "MongoDB configuration file (LDAP section)"
```sh
- # Sample MongoDB Configuration File (LDAP Section)
security:
- authorization: enabled
- ldap:
- mode: authzAndAuthn
- # --- Connection Pool Settings (Startup Only) ---
- ldapUseConnectionPool: true
- ldapForceMultiThreadMode: true
- ldapConnectionPoolMinimumConnectionsPerHost: 5
- ldapConnectionPoolMaximumConnectionsPerHost: 100
- ldapConnectionPoolIdleHostTimeoutSecs: 600
+ authorization: enabled
+ ldap:
+ mode: authzAndAuthn
+ # --- Connection Pool Settings (Startup Only) ---
+ ldapUseConnectionPool: true
+ ldapForceMultiThreadMode: true
+ ldapConnectionPoolMinimumConnectionsPerHost: 5
+ ldapConnectionPoolMaximumConnectionsPerHost: 100
+ ldapConnectionPoolIdleHostTimeoutSecs: 600
```
\ No newline at end of file
From e5c530993eed4451913057c816a138f03368f5b2 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 10:14:03 +0530
Subject: [PATCH 05/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index f56c3b397..1b687ceec 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -33,7 +33,7 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapQueryUser` | optional | Distinguished Name (DN) of the user used to perform LDAP queries. |
| `ldapQueryPassword` | optional | Password for the query user. |
-## Connection pool management parameters
+## Connection pool parameters
These parameters control how MongoDB maintains its pool of connections to the LDAP server.
@@ -64,4 +64,8 @@ These parameters control how MongoDB maintains its pool of connections to the LD
ldapConnectionPoolMinimumConnectionsPerHost: 5
ldapConnectionPoolMaximumConnectionsPerHost: 100
ldapConnectionPoolIdleHostTimeoutSecs: 600
- ```
\ No newline at end of file
+ ```
+
+## User cache and invalidation
+
+
From 81f0521ddcadb2ab6fc2933f3b0d638a2a3a1e42 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 10:43:18 +0530
Subject: [PATCH 06/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 72 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 71 insertions(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 1b687ceec..753ef5232 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -66,6 +66,76 @@ These parameters control how MongoDB maintains its pool of connections to the LD
ldapConnectionPoolIdleHostTimeoutSecs: 600
```
-## User cache and invalidation
+## LDAP cache refresh parameters
+
+As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to optimize authentication performance and reduce unnecessary load on the LDAP server. These settings control how cached user information is refreshed, allowing administrators to fine-tune the balance between maintaining up-to-date user data and minimizing LDAP query overhead—especially in high-scale environments with many concurrent users.
+
+
+| **Parameter** | **Required** | **Description** |
+|-----------------------------|----------|------------------------------------------------------------|
+| `ldapUserCacheRefreshInterval` | No | controls how long (in seconds) cached LDAP user entries remain valid before they expire and are evicted from the cache. If you do not set this parameter explicitly, Percona Server for MongoDB uses the built-in default for your version. This parameter applies when `ldapShouldRefreshUserCacheEntries` is set to `false`. |
+| `ldapShouldRefreshUserCacheEntries` | No | selects the refresh strategy and has the following semantics:
+ - When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
+ - When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
+
+ The default value is `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`), to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will be changed to **true** in all major versions released after March 1, 2026.
+
+ `ldapShouldRefreshUserCacheEntries` can only be set at startup. Interval parameters may be configured both at startup and during runtime. |
+| `ldapUserCacheInvalidationInterval` | No | Seconds between total external user cache flushes (re-acquires data on next operation). Default value is `30s`. |
+| `ldapUserCacheStalenessInterval` | No | Time mongod retains cache after a failed refresh before invalidating it. Max: 86,400s. Default value is `30s`. |
+
+**Interval-based refresh** (`ldapShouldRefreshUserCacheEntries: true`):
+
+=== "Runtime (setParameter)"
+
+ ```{.javascript data-prompt=">"}
+ > db.adminCommand({
+ ... setParameter: 1,
+ ... ldapUserCacheRefreshInterval: 300
+ ... })
+ ```
+
+=== "Command line"
+
+ ```bash
+ mongod --setParameter "ldapUserCacheRefreshInterval=300" \
+ --setParameter "ldapShouldRefreshUserCacheEntries=true"
+ ```
+
+=== "Configuration file"
+
+ ```yaml
+ setParameter:
+ ldapUserCacheRefreshInterval: 300
+ ldapShouldRefreshUserCacheEntries: true
+ ```
+
+**Expiration-based invalidation** (`ldapShouldRefreshUserCacheEntries: false`):
+
+=== "Runtime (setParameter)"
+
+ ```{.javascript data-prompt=">"}
+ > db.adminCommand({
+ ... setParameter: 1,
+ ... ldapUserCacheInvalidationInterval: 30
+ ... })
+ ```
+
+=== "Command line"
+
+ ```bash
+ mongod --setParameter "ldapUserCacheInvalidationInterval=30" \
+ --setParameter "ldapShouldRefreshUserCacheEntries=false"
+ ```
+
+=== "Configuration file"
+
+ ```yaml
+ setParameter:
+ ldapUserCacheInvalidationInterval: 30
+ ldapShouldRefreshUserCacheEntries: false
+ ```
+
+
From 7ddec88e0fc6132da30aec732ab52c5c15b1a1d9 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 10:48:32 +0530
Subject: [PATCH 07/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 753ef5232..2b61caf45 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -71,6 +71,15 @@ These parameters control how MongoDB maintains its pool of connections to the LD
As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to optimize authentication performance and reduce unnecessary load on the LDAP server. These settings control how cached user information is refreshed, allowing administrators to fine-tune the balance between maintaining up-to-date user data and minimizing LDAP query overhead—especially in high-scale environments with many concurrent users.
+| **Parameter** | **Required** | **Description** |
+| ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ldapUserCacheRefreshInterval` | No | Defines how often (in seconds) the server refreshes cached user information from LDAP when interval-based refresh is enabled through `ldapShouldRefreshUserCacheEntries=true`. If not explicitly configured, Percona Server for MongoDB uses the built-in default for the server version. Can be configured at startup and runtime. |
+| `ldapShouldRefreshUserCacheEntries` | No | Selects the LDAP user cache refresh strategy.
- When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
Default: `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`) to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will change to `true` in all major versions released after March 1, 2026.
*(Startup only — changes require application restart to take effect.)* |
+| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30s`. Can be configured at startup and runtime. |
+| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry. Maximum allowed value: `86400s`. Default: `30s`. Can be configured at startup and runtime. |
+
+
+
| **Parameter** | **Required** | **Description** |
|-----------------------------|----------|------------------------------------------------------------|
| `ldapUserCacheRefreshInterval` | No | controls how long (in seconds) cached LDAP user entries remain valid before they expire and are evicted from the cache. If you do not set this parameter explicitly, Percona Server for MongoDB uses the built-in default for your version. This parameter applies when `ldapShouldRefreshUserCacheEntries` is set to `false`. |
From 204f0b681be4934ac610dee3b44c9d660adc5692 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 10:58:30 +0530
Subject: [PATCH 08/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 21 +++------------------
1 file changed, 3 insertions(+), 18 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 2b61caf45..ddf44f7ee 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -74,24 +74,9 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
| **Parameter** | **Required** | **Description** |
| ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ldapUserCacheRefreshInterval` | No | Defines how often (in seconds) the server refreshes cached user information from LDAP when interval-based refresh is enabled through `ldapShouldRefreshUserCacheEntries=true`. If not explicitly configured, Percona Server for MongoDB uses the built-in default for the server version. Can be configured at startup and runtime. |
-| `ldapShouldRefreshUserCacheEntries` | No | Selects the LDAP user cache refresh strategy.
- When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
Default: `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`) to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will change to `true` in all major versions released after March 1, 2026.
*(Startup only — changes require application restart to take effect.)* |
-| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30s`. Can be configured at startup and runtime. |
-| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry. Maximum allowed value: `86400s`. Default: `30s`. Can be configured at startup and runtime. |
-
-
-
-| **Parameter** | **Required** | **Description** |
-|-----------------------------|----------|------------------------------------------------------------|
-| `ldapUserCacheRefreshInterval` | No | controls how long (in seconds) cached LDAP user entries remain valid before they expire and are evicted from the cache. If you do not set this parameter explicitly, Percona Server for MongoDB uses the built-in default for your version. This parameter applies when `ldapShouldRefreshUserCacheEntries` is set to `false`. |
-| `ldapShouldRefreshUserCacheEntries` | No | selects the refresh strategy and has the following semantics:
- - When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- - When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
-
- The default value is `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`), to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will be changed to **true** in all major versions released after March 1, 2026.
-
- `ldapShouldRefreshUserCacheEntries` can only be set at startup. Interval parameters may be configured both at startup and during runtime. |
-| `ldapUserCacheInvalidationInterval` | No | Seconds between total external user cache flushes (re-acquires data on next operation). Default value is `30s`. |
-| `ldapUserCacheStalenessInterval` | No | Time mongod retains cache after a failed refresh before invalidating it. Max: 86,400s. Default value is `30s`. |
+| `ldapShouldRefreshUserCacheEntries` | No | Selects the LDAP user cache refresh strategy.
- When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
Default: `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`) to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will change to `true` in all major versions released after March 1, 2026.
This parameter can be configured at startup only.|
+| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30s`. This parameter can be configured at startup and runtime. |
+| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry. Maximum allowed value: `86400s`. Default: `30s`. This parameter can be configured at startup and runtime. |
**Interval-based refresh** (`ldapShouldRefreshUserCacheEntries: true`):
From 076257418ca0e90f7fa1cc1b7b1e19b79f3e7230 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 11:09:36 +0530
Subject: [PATCH 09/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 41 +++++++++++++++++++++--------------------
1 file changed, 21 insertions(+), 20 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index ddf44f7ee..a69ea18bb 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -76,33 +76,34 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
| `ldapUserCacheRefreshInterval` | No | Defines how often (in seconds) the server refreshes cached user information from LDAP when interval-based refresh is enabled through `ldapShouldRefreshUserCacheEntries=true`. If not explicitly configured, Percona Server for MongoDB uses the built-in default for the server version. Can be configured at startup and runtime. |
| `ldapShouldRefreshUserCacheEntries` | No | Selects the LDAP user cache refresh strategy.
- When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
Default: `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`) to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will change to `true` in all major versions released after March 1, 2026.
This parameter can be configured at startup only.|
| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30s`. This parameter can be configured at startup and runtime. |
-| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry. Maximum allowed value: `86400s`. Default: `30s`. This parameter can be configured at startup and runtime. |
+| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry. Maximum allowed value: `86400s`. Default: `30s`. This parameter can be configured at startup and runtime. |
-**Interval-based refresh** (`ldapShouldRefreshUserCacheEntries: true`):
+??? example "Example"
+ **Interval-based refresh** (`ldapShouldRefreshUserCacheEntries: true`):
-=== "Runtime (setParameter)"
+ === "Runtime (setParameter)"
- ```{.javascript data-prompt=">"}
- > db.adminCommand({
- ... setParameter: 1,
- ... ldapUserCacheRefreshInterval: 300
- ... })
- ```
+ ```{.javascript data-prompt=">"}
+ > db.adminCommand({
+ ... setParameter: 1,
+ ... ldapUserCacheRefreshInterval: 300
+ ... })
+ ```
-=== "Command line"
+ === "Command line"
- ```bash
- mongod --setParameter "ldapUserCacheRefreshInterval=300" \
- --setParameter "ldapShouldRefreshUserCacheEntries=true"
- ```
+ ```bash
+ mongod --setParameter "ldapUserCacheRefreshInterval=300" \
+ --setParameter "ldapShouldRefreshUserCacheEntries=true"
+ ```
-=== "Configuration file"
+ === "Configuration file"
- ```yaml
- setParameter:
- ldapUserCacheRefreshInterval: 300
- ldapShouldRefreshUserCacheEntries: true
- ```
+ ```yaml
+ setParameter:
+ ldapUserCacheRefreshInterval: 300
+ ldapShouldRefreshUserCacheEntries: true
+ ```
**Expiration-based invalidation** (`ldapShouldRefreshUserCacheEntries: false`):
From c93faa2feda126fa70d03ec5151864fd7d6ca365 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 11:13:26 +0530
Subject: [PATCH 10/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index a69ea18bb..bcac27cd2 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -78,8 +78,7 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30s`. This parameter can be configured at startup and runtime. |
| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry. Maximum allowed value: `86400s`. Default: `30s`. This parameter can be configured at startup and runtime. |
-??? example "Example"
- **Interval-based refresh** (`ldapShouldRefreshUserCacheEntries: true`):
+??? example "Interval-based refresh: `ldapShouldRefreshUserCacheEntries: true` "
=== "Runtime (setParameter)"
From fba88fdb38c22a64a94afe48b59ebda567b357ca Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 11:17:30 +0530
Subject: [PATCH 11/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 39 ++++++++++++++++++++-------------------
1 file changed, 20 insertions(+), 19 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index bcac27cd2..3e03c7ab0 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -104,31 +104,32 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
ldapShouldRefreshUserCacheEntries: true
```
-**Expiration-based invalidation** (`ldapShouldRefreshUserCacheEntries: false`):
+??? example "Expiration-based invalidation: `ldapShouldRefreshUserCacheEntries: false`"
-=== "Runtime (setParameter)"
- ```{.javascript data-prompt=">"}
- > db.adminCommand({
- ... setParameter: 1,
- ... ldapUserCacheInvalidationInterval: 30
- ... })
- ```
+ === "Runtime (setParameter)"
+
+ ```{.javascript data-prompt=">"}
+ > db.adminCommand({
+ ... setParameter: 1,
+ ... ldapUserCacheInvalidationInterval: 30
+ ... })
+ ```
-=== "Command line"
+ === "Command line"
- ```bash
- mongod --setParameter "ldapUserCacheInvalidationInterval=30" \
- --setParameter "ldapShouldRefreshUserCacheEntries=false"
- ```
+ ```bash
+ mongod --setParameter "ldapUserCacheInvalidationInterval=30" \
+ --setParameter "ldapShouldRefreshUserCacheEntries=false"
+ ```
-=== "Configuration file"
+ === "Configuration file"
- ```yaml
- setParameter:
- ldapUserCacheInvalidationInterval: 30
- ldapShouldRefreshUserCacheEntries: false
- ```
+ ```yaml
+ setParameter:
+ ldapUserCacheInvalidationInterval: 30
+ ldapShouldRefreshUserCacheEntries: false
+ ```
From 32702af54d885cf3aaf588cb800859427834aa54 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 11:28:43 +0530
Subject: [PATCH 12/31] deleted duplicate section and added security and
concurrent parameters
---
docs/authorization.md | 73 -----------------------------------------
docs/ldap-parameters.md | 14 ++++++++
2 files changed, 14 insertions(+), 73 deletions(-)
diff --git a/docs/authorization.md b/docs/authorization.md
index 141041b1e..a9c0d707a 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -102,79 +102,6 @@ setParameter:
ldapFollowReferrals: true
```
-### LDAP cache refresh parameters
-
-As of version 8.0.20-8, Percona Server for MongoDB introduced parameters to optimize authentication performance and reduce unnecessary load on the LDAP server. These settings control how cached user information is refreshed, allowing administrators to fine-tune the balance between maintaining up-to-date user data and minimizing LDAP query overhead—especially in high-scale environments with many concurrent users.
-
-- `ldapUserCacheRefreshInterval` defines how often (in seconds) the server refreshes cached user information from LDAP **when interval-based refresh is enabled** (see `ldapShouldRefreshUserCacheEntries` below).
-
-- `ldapUserCacheInvalidationInterval` controls how long (in seconds) cached LDAP user entries remain valid before they expire and are evicted from the cache. If you do not set this parameter explicitly, Percona Server for MongoDB uses the built-in default for your version. This parameter applies when `ldapShouldRefreshUserCacheEntries` is set to `false`.
-
-- `ldapShouldRefreshUserCacheEntries` selects the refresh strategy and has the following semantics:
-
- - When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
-
- - When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
-
- The default value is `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`), to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled.
-
- `ldapShouldRefreshUserCacheEntries` can only be set at startup. Interval parameters may be configured both at startup and during runtime.
-
- !!! warning
- The default value will be changed to **true** in all major versions released after March 1, 2026.
-
-**Interval-based refresh** (`ldapShouldRefreshUserCacheEntries: true`):
-
-=== "Runtime (setParameter)"
-
- ```{.javascript data-prompt=">"}
- > db.adminCommand({
- ... setParameter: 1,
- ... ldapUserCacheRefreshInterval: 300
- ... })
- ```
-
-=== "Command line"
-
- ```bash
- mongod --setParameter "ldapUserCacheRefreshInterval=300" \
- --setParameter "ldapShouldRefreshUserCacheEntries=true"
- ```
-
-=== "Configuration file"
-
- ```yaml
- setParameter:
- ldapUserCacheRefreshInterval: 300
- ldapShouldRefreshUserCacheEntries: true
- ```
-
-**Expiration-based invalidation** (`ldapShouldRefreshUserCacheEntries: false`):
-
-=== "Runtime (setParameter)"
-
- ```{.javascript data-prompt=">"}
- > db.adminCommand({
- ... setParameter: 1,
- ... ldapUserCacheInvalidationInterval: 30
- ... })
- ```
-
-=== "Command line"
-
- ```bash
- mongod --setParameter "ldapUserCacheInvalidationInterval=30" \
- --setParameter "ldapShouldRefreshUserCacheEntries=false"
- ```
-
-=== "Configuration file"
-
- ```yaml
- setParameter:
- ldapUserCacheInvalidationInterval: 30
- ldapShouldRefreshUserCacheEntries: false
- ```
-
### Connection pool
As of version 6.0.2-1, Percona Server for MongoDB always uses a connection pool to LDAP server to process bind requests. The connection pool is enabled by default. The default connection pool size is 2 connections.
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 3e03c7ab0..1763d2506 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -132,5 +132,19 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
```
+## Security and concurrency parameters
+
+These parameters are used for LDAP server authentication, secure connection handling, and ensuring thread-safe operations during concurrent access.
+
+| **Parameter** | **Required** | **Description** |
+| -------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ldapQueryUser` | No | Specifies the DN (Distinguished Name) of the user that binds to the LDAP server. Default: `N/A`. |
+| `ldapQueryPassword` | No | Specifies the password for `ldapQueryUser`. Default: `N/A`. |
+| `ldapForceMultiThreadMode` | No | Enables concurrent LDAP operations. Required for connection pooling. Use only with a thread-safe `libldap` implementation. Default: `FALSE`. |
+| `ldapRetryCount` | No | Specifies the number of times the server retries an LDAP operation after a network error. Default: `0`. |
+
+
+
+
From a19768fc2f8f0629ab05265f931aba673e8eaae4 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 11:35:23 +0530
Subject: [PATCH 13/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 1763d2506..dd25bed1e 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -144,7 +144,16 @@ These parameters are used for LDAP server authentication, secure connection hand
| `ldapRetryCount` | No | Specifies the number of times the server retries an LDAP operation after a network error. Default: `0`. |
+??? example "MongoDB configuration file: Performance and retries"
+ ```
+ security:
+ authorization: enabled
+ ldap:
+ mode: authzAndAuthn
+ # --- Performance & Retries ---
+ ldapRetryCount: 3
+ ```
From f637d87fa18d9e394275401357cc6350416d4993 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 11:37:55 +0530
Subject: [PATCH 14/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index dd25bed1e..9b881851d 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -146,7 +146,7 @@ These parameters are used for LDAP server authentication, secure connection hand
??? example "MongoDB configuration file: Performance and retries"
- ```
+ ```sh
security:
authorization: enabled
ldap:
From 8775b8527e3305f4d16260bd21f5aa313c32f6ea Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 11:44:02 +0530
Subject: [PATCH 15/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 9b881851d..94f1b003f 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -153,7 +153,7 @@ These parameters are used for LDAP server authentication, secure connection hand
mode: authzAndAuthn
# --- Performance & Retries ---
ldapRetryCount: 3
- ```
+ ```
From 0f47ebcdb3beccdafdda2c3e468ec8c8118b4329 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 12:03:10 +0530
Subject: [PATCH 16/31] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 94f1b003f..3e499c422 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -35,7 +35,7 @@ The cache is automatically invalidated when any of the following parameters chan
## Connection pool parameters
-These parameters control how MongoDB maintains its pool of connections to the LDAP server.
+These parameters control how Percona Server for MongoDB maintains its pool of connections to the LDAP server.
!!! info "Important"
From 831a39025965edb2436a80cd3243d541f9abefca Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 12:03:27 +0530
Subject: [PATCH 17/31] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 3e499c422..e6f94a682 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -50,7 +50,7 @@ These parameters control how Percona Server for MongoDB maintains its pool of co
| `ldapConnectionPoolMinimumConnectionsPerHost` | No | Minimum number of connections to maintain per LDAP host. Default: `1`. |
| `ldapConnectionPoolMaximumConnectionsPerHost` | No | Maximum number of open connections per LDAP host. Default: `2147483647`. |
| `ldapConnectionPoolMaximumConnectionsInProgressPerHost` | No | Limits concurrent **in-progress** connection attempts per host to prevent spikes. Default: `2`. |
-| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `TRUE`. |
+| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `true`. |
??? example "MongoDB configuration file (LDAP section)"
```sh
From 6bbf4dc5bfbebc0ad2e50e2d63860644078f481b Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 12:04:24 +0530
Subject: [PATCH 18/31] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index e6f94a682..d2c7ba5ec 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -75,8 +75,8 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
| ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ldapUserCacheRefreshInterval` | No | Defines how often (in seconds) the server refreshes cached user information from LDAP when interval-based refresh is enabled through `ldapShouldRefreshUserCacheEntries=true`. If not explicitly configured, Percona Server for MongoDB uses the built-in default for the server version. Can be configured at startup and runtime. |
| `ldapShouldRefreshUserCacheEntries` | No | Selects the LDAP user cache refresh strategy.
- When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
Default: `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`) to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will change to `true` in all major versions released after March 1, 2026.
This parameter can be configured at startup only.|
-| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30s`. This parameter can be configured at startup and runtime. |
-| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry. Maximum allowed value: `86400s`. Default: `30s`. This parameter can be configured at startup and runtime. |
+| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes, in seconds. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30` seconds. This parameter can be configured at startup and runtime. |
+| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry, in seconds. Maximum allowed value: `86400` seconds. Default: `30` seconds. This parameter can be configured at startup and runtime. |
??? example "Interval-based refresh: `ldapShouldRefreshUserCacheEntries: true` "
From 6c9693f90acae705214e171c35f898d40fa7be85 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 12:04:41 +0530
Subject: [PATCH 19/31] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index d2c7ba5ec..45141df3e 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -146,12 +146,13 @@ These parameters are used for LDAP server authentication, secure connection hand
??? example "MongoDB configuration file: Performance and retries"
- ```sh
+ ```yaml
security:
authorization: enabled
ldap:
mode: authzAndAuthn
- # --- Performance & Retries ---
+ # --- Performance & Retries ---
+ setParameter:
ldapRetryCount: 3
```
From a1d9b8f04a3ce1b455a582f5c5c12881ebb82815 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 12 May 2026 06:35:45 +0000
Subject: [PATCH 20/31] Fix LDAP connection pool config example
Agent-Logs-Url: https://github.com/percona/psmdb-docs/sessions/a1d3d5be-ba40-4247-a41e-1789606c20c4
Co-authored-by: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
---
docs/ldap-parameters.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 45141df3e..da9db0d68 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -53,11 +53,12 @@ These parameters control how Percona Server for MongoDB maintains its pool of co
| `ldapConnectionPoolUseLatencyForHostPriority` | No | When `true`, the pool prioritizes connections to hosts with the lowest latency. Default: `true`. |
??? example "MongoDB configuration file (LDAP section)"
- ```sh
+ ```yaml
security:
authorization: enabled
ldap:
mode: authzAndAuthn
+ setParameter:
# --- Connection Pool Settings (Startup Only) ---
ldapUseConnectionPool: true
ldapForceMultiThreadMode: true
@@ -157,4 +158,3 @@ These parameters are used for LDAP server authentication, secure connection hand
```
-
From e095e8cae12853ac35e18a71eedb9163ab8ff36d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 12 May 2026 06:39:00 +0000
Subject: [PATCH 21/31] Fix YAML indentation in cache refresh examples
Agent-Logs-Url: https://github.com/percona/psmdb-docs/sessions/091519cc-1dcf-4972-997a-a18f40871e3e
Co-authored-by: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
---
docs/ldap-parameters.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index da9db0d68..10a2c6f11 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -101,8 +101,8 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
```yaml
setParameter:
- ldapUserCacheRefreshInterval: 300
- ldapShouldRefreshUserCacheEntries: true
+ ldapUserCacheRefreshInterval: 300
+ ldapShouldRefreshUserCacheEntries: true
```
??? example "Expiration-based invalidation: `ldapShouldRefreshUserCacheEntries: false`"
@@ -128,8 +128,8 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
```yaml
setParameter:
- ldapUserCacheInvalidationInterval: 30
- ldapShouldRefreshUserCacheEntries: false
+ ldapUserCacheInvalidationInterval: 30
+ ldapShouldRefreshUserCacheEntries: false
```
From 86dc1fb76d136cb1ac5e3f42b973f067b8cba6b1 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 12:26:22 +0530
Subject: [PATCH 22/31] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 10a2c6f11..76e6a13f1 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -141,7 +141,7 @@ These parameters are used for LDAP server authentication, secure connection hand
| -------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------- |
| `ldapQueryUser` | No | Specifies the DN (Distinguished Name) of the user that binds to the LDAP server. Default: `N/A`. |
| `ldapQueryPassword` | No | Specifies the password for `ldapQueryUser`. Default: `N/A`. |
-| `ldapForceMultiThreadMode` | No | Enables concurrent LDAP operations. Required for connection pooling. Use only with a thread-safe `libldap` implementation. Default: `FALSE`. |
+| `ldapForceMultiThreadMode` | No | Enables concurrent LDAP operations. Required for connection pooling. Use only with a thread-safe `libldap` implementation. Default: `false`. |
| `ldapRetryCount` | No | Specifies the number of times the server retries an LDAP operation after a network error. Default: `0`. |
From dfbc27f085cfbbcf2c5c314f09804006c4aed9b0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 12 May 2026 07:00:30 +0000
Subject: [PATCH 23/31] Add link to LDAP cache refresh parameters in
authorization.md
Agent-Logs-Url: https://github.com/percona/psmdb-docs/sessions/24c04f91-623e-4ec5-889b-5ff28e00b09d
Co-authored-by: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
---
docs/authorization.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/docs/authorization.md b/docs/authorization.md
index a9c0d707a..0a6127c7e 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -102,6 +102,10 @@ setParameter:
ldapFollowReferrals: true
```
+!!! note
+
+ For information about LDAP cache refresh parameters, see [LDAP cache refresh parameters](ldap-parameters.md#ldap-cache-refresh-parameters).
+
### Connection pool
As of version 6.0.2-1, Percona Server for MongoDB always uses a connection pool to LDAP server to process bind requests. The connection pool is enabled by default. The default connection pool size is 2 connections.
From db11cee43cabefefaf2635f73203355f8f85c301 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 12:34:05 +0530
Subject: [PATCH 24/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 94f1b003f..624719a05 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -30,8 +30,7 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapUserToDNCacheTTLSeconds` | No | Changing the TTL value clears the cache. |
| `ldapUserToDNCacheSize` | No | Changing the cache size clears the cache. |
| `ldapServers` | Yes | Comma-separated list of LDAP servers to connect to. |
-| `ldapQueryUser` | optional | Distinguished Name (DN) of the user used to perform LDAP queries. |
-| `ldapQueryPassword` | optional | Password for the query user. |
+
## Connection pool parameters
@@ -39,7 +38,7 @@ These parameters control how MongoDB maintains its pool of connections to the LD
!!! info "Important"
- All Connection Pool parameters except `ldapUseConnectionPool` can be set at **startup only**. They must be defined in the configuration file or via `--setParameter` at launch and cannot be changed via `db.adminCommand()` while the instance is running.
+ All the connection Pool parameters can be set at **startup only**. They must be defined in the configuration file or via `--setParameter` at launch and cannot be changed via `db.adminCommand()` while the instance is running.
| Parameter | Required | Description |
From 17d3f8762c02b894dbba648f509464f7a8af982c Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 12:58:15 +0530
Subject: [PATCH 25/31] Update authorization.md
---
docs/authorization.md | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/docs/authorization.md b/docs/authorization.md
index 0a6127c7e..37410b4e0 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -90,7 +90,6 @@ To summarize, username escaping happens in the following cases:
-
### LDAP referrals
As of version 6.0.2-1, Percona Server for MongoDB supports LDAP referrals as defined in [RFC 4511 4.1.10](https://www.rfc-editor.org/rfc/rfc4511.txt). For security reasons, referrals are disabled by default. Double-check that using referrals is safe before enabling them.
@@ -102,10 +101,6 @@ setParameter:
ldapFollowReferrals: true
```
-!!! note
-
- For information about LDAP cache refresh parameters, see [LDAP cache refresh parameters](ldap-parameters.md#ldap-cache-refresh-parameters).
-
### Connection pool
As of version 6.0.2-1, Percona Server for MongoDB always uses a connection pool to LDAP server to process bind requests. The connection pool is enabled by default. The default connection pool size is 2 connections.
@@ -160,6 +155,10 @@ db.adminCommand( { setParameter: 1, ldapServers:"localhost,ldap1.example.net,lda
For how to configure LDAP authorization with the native LDAP authentication, see [Setting up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
+For information about LDAP parameters, see [LDAP parameters](ldap-parameters.md).
+
+
+
*[DN]: Distinguished Name
\ No newline at end of file
From bcc71b8f68f68f187d84e99ff33c5d27011140ce Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 13:11:41 +0530
Subject: [PATCH 26/31] Update authorization.md
---
docs/authorization.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/authorization.md b/docs/authorization.md
index 37410b4e0..d9d936d24 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -153,9 +153,9 @@ db.adminCommand( { setParameter: 1, ldapServers:"localhost,ldap1.example.net,lda
## Configuration
-For how to configure LDAP authorization with the native LDAP authentication, see [Setting up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
+To configure LDAP authorization with the native LDAP authentication, see [Setting up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
-For information about LDAP parameters, see [LDAP parameters](ldap-parameters.md).
+For details on available configuration options, refer to [LDAP parameters](ldap-parameters.md).
From ec7d54a1efb3d9433762ad1b36791bfb605e4165 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 13:11:55 +0530
Subject: [PATCH 27/31] Update authorization.md
---
docs/authorization.md | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/docs/authorization.md b/docs/authorization.md
index d9d936d24..5cbaeeacc 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -155,10 +155,4 @@ db.adminCommand( { setParameter: 1, ldapServers:"localhost,ldap1.example.net,lda
To configure LDAP authorization with the native LDAP authentication, see [Setting up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
-For details on available configuration options, refer to [LDAP parameters](ldap-parameters.md).
-
-
-
-
-
-*[DN]: Distinguished Name
\ No newline at end of file
+For details on available configuration options, refer to [LDAP parameters](ldap-parameters.md).
\ No newline at end of file
From 0c32e1dd68658c0d7bab7f2bafa8a1550daff7ef Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 13:16:42 +0530
Subject: [PATCH 28/31] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 14f4c6228..4ce0cbbb3 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -38,7 +38,7 @@ These parameters control how Percona Server for MongoDB maintains its pool of co
!!! info "Important"
- All the connection Pool parameters can be set at **startup only**. They must be defined in the configuration file or via `--setParameter` at launch and cannot be changed via `db.adminCommand()` while the instance is running.
+ All connection pool parameters are **startup-only**. They must be defined in the configuration file or via `--setParameter` at launch and cannot be changed via `db.adminCommand()` while the instance is running.
| Parameter | Required | Description |
From e860bab5b27c649cc5b110de157dd923adbf84d0 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 13:17:56 +0530
Subject: [PATCH 29/31] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 4ce0cbbb3..6be21e9a2 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -74,7 +74,7 @@ As of **version 8.0.20-8**, Percona Server for MongoDB introduced parameters to
| **Parameter** | **Required** | **Description** |
| ----------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ldapUserCacheRefreshInterval` | No | Defines how often (in seconds) the server refreshes cached user information from LDAP when interval-based refresh is enabled through `ldapShouldRefreshUserCacheEntries=true`. If not explicitly configured, Percona Server for MongoDB uses the built-in default for the server version. Can be configured at startup and runtime. |
-| `ldapShouldRefreshUserCacheEntries` | No | Selects the LDAP user cache refresh strategy.
- When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
Default: `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`) to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will change to `true` in all major versions released after March 1, 2026.
This parameter can be configured at startup only.|
+| `ldapShouldRefreshUserCacheEntries` | No | Selects the LDAP user cache refresh strategy.
- When set to `true`, each cached `$external` user is periodically re-fetched from the LDAP server at the interval defined by `ldapUserCacheRefreshInterval`. The cache is updated only if the user’s roles have changed; otherwise, existing entries remain untouched, ensuring no disruption. If a user no longer exists in LDAP, their cache entry is invalidated individually.
- When set to `false`, all `$external` users are evicted from the cache at intervals defined by `ldapUserCacheInvalidationInterval`. This preserves the behavior that existed prior to the introduction of `ldapUserCacheRefreshInterval` and `ldapShouldRefreshUserCacheEntries`.
Default: `false` (expiration-based invalidation using `ldapUserCacheInvalidationInterval`) to maintain backward-compatible behavior unless interval-based refreshing is explicitly enabled. The default value will change to `true` in future major versions.
This parameter can be configured at startup only.|
| `ldapUserCacheInvalidationInterval` | No | Defines the interval between total external user cache flushes, in seconds. Cached LDAP user entries are evicted after this interval and are re-acquired from LDAP on the next operation. Default: `30` seconds. This parameter can be configured at startup and runtime. |
| `ldapUserCacheStalenessInterval` | No | Defines how long `mongod` retains cached LDAP user information after a failed refresh attempt before invalidating the cache entry, in seconds. Maximum allowed value: `86400` seconds. Default: `30` seconds. This parameter can be configured at startup and runtime. |
From fa1ca2207917a4f1dd47a5bf140ac0822e62c58f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 12 May 2026 07:50:24 +0000
Subject: [PATCH 30/31] Re-add DN abbreviation definition to authorization.md
Agent-Logs-Url: https://github.com/percona/psmdb-docs/sessions/d369ba41-d255-42a9-b450-9246ff0c220c
Co-authored-by: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
---
docs/authorization.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/docs/authorization.md b/docs/authorization.md
index 5cbaeeacc..6690d4928 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -155,4 +155,6 @@ db.adminCommand( { setParameter: 1, ldapServers:"localhost,ldap1.example.net,lda
To configure LDAP authorization with the native LDAP authentication, see [Setting up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
-For details on available configuration options, refer to [LDAP parameters](ldap-parameters.md).
\ No newline at end of file
+For details on available configuration options, refer to [LDAP parameters](ldap-parameters.md).
+
+*[DN]: Distinguished Name
\ No newline at end of file
From 2df5990255744abf52e23163a7966c6dd8a3b47d Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Tue, 12 May 2026 13:32:12 +0530
Subject: [PATCH 31/31] Update ldap-parameters.md
---
docs/ldap-parameters.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 14f4c6228..ee6514eab 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -3,11 +3,11 @@
Percona Server for MongoDB provides a set of configuration parameters to enable and fine-tune LDAP authentication and authorization.
-## User-to-DN cache parameters
+## UsertoDN cache parameters
-To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP user-to-DN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
+To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP UsertoDN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
-For more details on configuring user-to-DN mapping, see [LDAP authorization](authorization.md#username-transformation) and [Set up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
+For more details on configuring UsertoDN mapping, see [LDAP authorization](authorization.md#username-transformation) and [Set up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
The cache is controlled by the following server parameters: