User Source, AD - Cache Validation Timeout

What is the downside to disabling cacheing for an “AD/Internal Hybrid” user source?

Our gateway uses a “AD/Internal Hybrid” user source configured with a “Cache Validation Timeout” of 5 min. On the User Source, when I click on “More” and “manage users”, there are 11K users listed. It looks like Ignition is querying the domain controller every 5 min for the complete user list and then caching the result. Is that correct?

There are significant CPU spikes that match the cache invalidation interval. Also, there is a lot of traffic to and from the DC. To improve things, I’m increasing the cache timeout, but ideally I’d like to disable the cache. I don’t see any info in the docs about what the cache is for and the pros / cons of disabling it

The downside is that the Gateway will make LDAP requests to the AD server every time the list of users or roles is required from the AD server, instead of hitting the cache. Depending on how often your users require the list of users or roles and depending on how large the directory is, this could be a huge performance burden.

There are many settings you can take advantage of in the user source profile to tune performance to your liking. You could increase the cache invalidation timeout depending on your tolerance for stale cache on the Gateway side since the last AD query. You could refine your user search and list base if you only need a subset of the directory (and not the entire 11K users). If you only want to show the list of users that you have created on the internal DB side of the hybrid source, you could disable the List Users from Active Directory setting, which would make the system show the list from the internal DB side instead of querying the AD server for the list of roles and users.

1 Like