From 50a56529d1517ec7977b8d1a04e9c0664ab40ac4 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:11:17 +0530
Subject: [PATCH 01/16] Update ldap-parameters.md
---
docs/ldap-parameters.md | 69 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 66 insertions(+), 3 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 659a4a3c7..a65d68d1d 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -2,7 +2,8 @@
Percona Server for MongoDB provides a set of configuration parameters to enable and fine-tune LDAP authentication and authorization.
-## User-to-DN cache parameters
+
+## userToDNCache cache parameters
To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP user-to-DN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
@@ -23,8 +24,8 @@ The cache is controlled by the following server parameters:
The cache is automatically invalidated when any of the following parameters change at runtime:
-| **Parameter** | **Required** | **Description** |
-|-----------------------------|----------|------------------------------------------------------------|
+| **Parameter**| **Required** | **Description** |
+|--------------|----------|---------------------|
| `ldapUserToDNMapping` | Yes | Rules for mapping usernames to LDAP DNs. |
| `ldapUserToDNCacheTTLSeconds` | No | Changing the TTL value clears the cache. |
| `ldapUserToDNCacheSize` | No | Changing the cache size clears the cache. |
@@ -33,6 +34,68 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapQueryPassword` | optional | Password for the query user.
+## Monitor userToDNCache
+
+Percona Server for MongoDB exposes LDAP userToDN cache statistics in the `db.serverStatus()` output when the server is configured to use LDAP authentication with `--ldapServers`.
+
+The `ldap.userToDNCache` document reports the status and performance of the in-memory Least Recently Used (LRU) cache that maps LDAP usernames to Distinguished Names (DNs). You can use this information to verify whether the cache is enabled, monitor cache usage, and identify whether LDAP lookups are being served from cache or sent to the LDAP server.
+
+### View LDAP userToDN cache statistics
+
+Run the following command:
+
+```sh
+db.serverStatus().ldap.userToDNCache
+```
+
+??? example "Output"
+ ```bash
+ {
+ "enabled": true,
+ "maxSize": 10000,
+ "currentSize": 42,
+ "ttlSeconds": 30,
+ "hits": 1847,
+ "misses": 63,
+ "invalidations": 2
+ }
+ ```
+
+The different fields are described in the table below.
+
+| **Field** | **Description** |
+|-------|-------------|
+| `enabled` | Indicates whether the LDAP user-to-DN cache is active.
The cache is disabled when either `ldapUserToDNCacheTTLSeconds` or `ldapUserToDNCacheSize` is set to `0`.
When disabled, all user-to-DN lookups are sent directly to the LDAP server. |
+| `maxSize` | The maximum number of username-to-DN mappings that can be stored in the cache.
Corresponds to the `ldapUserToDNCacheSize` server parameter.
When the cache reaches this limit, the least recently used entry is evicted to make room for a new one. |
+| `currentSize` | The current number of username-to-DN mappings stored in the cache. |
+| `ttlSeconds` | The time-to-live (TTL) for cache entries, in seconds.
Corresponds to the `ldapUserToDNCacheTTLSeconds` server parameter.
Entries older than this value are treated as expired and are not served from the cache. |
+| `hits` | The number of `mapUserToDN` lookups served from the cache since the last cache invalidation.
This counter resets to `0` when the cache is invalidated, for example after changing `ldapUserToDNMapping`, `ldapUserToDNCacheSize`, or `ldapUserToDNCacheTTLSeconds` using `setParameter`.
A successful LDAP authentication may perform two internal `mapUserToDN` lookups (during SASL bind and role resolution), increasing this counter by up to `2` per login. |
+| `misses` | The number of `mapUserToDN` lookups not served from the cache since the last cache invalidation.
A miss occurs when an entry is missing or has expired.
This counter resets to `0` whenever the cache is invalidated. |
+| `invalidations` | The total number of cache invalidations since server startup.
This value increases whenever `ldapUserToDNMapping`, `ldapUserToDNCacheSize`, or `ldapUserToDNCacheTTLSeconds` is changed using `setParameter`.
Unlike `hits` and `misses`, this counter does not reset.
The initial cache creation during startup is not counted as an invalidation. |
+
+### Calculate the cache hit rate
+
+You can calculate the hit rate for the current cache generation using the following command:
+
+```sh
+var c = db.serverStatus().ldap.userToDNCache;
+var total = c.hits + c.misses;
+var hitRate = total > 0 ? c.hits / total : null;
+```
+
+A higher hit rate means more LDAP userToDN lookups are served from cache, reducing requests to the LDAP server.
+
+Monitor invalidations together with hits and misses. If hits and misses suddenly drop to low values and invalidations increases, this usually indicates that an LDAP-related runtime parameter was changed. It does not necessarily indicate degraded cache performance.
+
+### Related parameters
+
+| **Parameter** | **Description** |
+|:----------|:------------|
+| `ldapUserToDNCacheSize` | Maximum number of cache entries. The default value is `10000`. Set to `0` to disable the cache. |
+| `ldapUserToDNCacheTTLSeconds` | Time-to-live (TTL) for cache entries, in seconds. The default value is `30`. Set to `0` to disable the cache. |
+| `ldapUserToDNMapping` | JSON mapping rules used to map LDAP usernames to Distinguished Names (DNs). Changing this parameter at runtime invalidates the cache. |
+
+
From d41d3d0fafa8850b5657ed8248ca971c9cb2286d Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:15:47 +0530
Subject: [PATCH 02/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index a65d68d1d..0028278c7 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -34,7 +34,7 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapQueryPassword` | optional | Password for the query user.
-## Monitor userToDNCache
+## Monitor userToDNCache
Percona Server for MongoDB exposes LDAP userToDN cache statistics in the `db.serverStatus()` output when the server is configured to use LDAP authentication with `--ldapServers`.
From 65086c612ddbb7c3efcbdefb449f12ffe71c9e80 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:16:03 +0530
Subject: [PATCH 03/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 0028278c7..b10e9d619 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -3,7 +3,7 @@
Percona Server for MongoDB provides a set of configuration parameters to enable and fine-tune LDAP authentication and authorization.
-## userToDNCache cache parameters
+## User-to-DN cache parameters
To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP user-to-DN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
From 7931868f1e0a6cc6c00ed290a28621bd4b0106e0 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:16:31 +0530
Subject: [PATCH 04/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index b10e9d619..e27bcd2ed 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -31,7 +31,7 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapUserToDNCacheSize` | No | Changing the cache size clears the cache. |
| `ldapServers` | Yes | Comma-separated list of LDAP servers to connect to. |
| `ldapQueryUser` | optional | Distinguished Name (DN) of the user used to perform LDAP queries. |
-| `ldapQueryPassword` | optional | Password for the query user.
+| `ldapQueryPassword` | optional | Password for the query user. |
## Monitor userToDNCache
From a00db687927e59dfb47ca2530e0ffb5ef6ef75d1 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:16:52 +0530
Subject: [PATCH 05/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index e27bcd2ed..b874cf810 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -85,7 +85,7 @@ var hitRate = total > 0 ? c.hits / total : null;
A higher hit rate means more LDAP userToDN lookups are served from cache, reducing requests to the LDAP server.
-Monitor invalidations together with hits and misses. If hits and misses suddenly drop to low values and invalidations increases, this usually indicates that an LDAP-related runtime parameter was changed. It does not necessarily indicate degraded cache performance.
+Monitor invalidations together with hits and misses. If hits and misses suddenly drop to low values and invalidations increase, this usually indicates that an LDAP-related runtime parameter was changed. It does not necessarily indicate degraded cache performance.
### Related parameters
From 378d9b5fa42b9e3cef300e8ff9795cb467416b03 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Jun 2026 06:48:54 +0000
Subject: [PATCH 06/16] docs: mark mongosh cache hit-rate snippet as javascript
---
docs/ldap-parameters.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index b874cf810..b18b6c096 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -44,7 +44,7 @@ The `ldap.userToDNCache` document reports the status and performance of the in-m
Run the following command:
-```sh
+```javascript
db.serverStatus().ldap.userToDNCache
```
@@ -99,4 +99,3 @@ Monitor invalidations together with hits and misses. If hits and misses suddenly
-
From cca7db511860f6d6e8ee1bc36515fb58e1c2da1c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Jun 2026 06:48:55 +0000
Subject: [PATCH 07/16] docs: fix code block languages in LDAP cache example
---
docs/ldap-parameters.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index b18b6c096..4b9b266a4 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -49,15 +49,15 @@ db.serverStatus().ldap.userToDNCache
```
??? example "Output"
- ```bash
+ ```{.json .no-copy}
{
- "enabled": true,
- "maxSize": 10000,
- "currentSize": 42,
- "ttlSeconds": 30,
- "hits": 1847,
- "misses": 63,
- "invalidations": 2
+ "enabled": true,
+ "maxSize": 10000,
+ "currentSize": 42,
+ "ttlSeconds": 30,
+ "hits": 1847,
+ "misses": 63,
+ "invalidations": 2
}
```
From 52fa282459067971f255cea1a9e71b284307479c Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:20:07 +0530
Subject: [PATCH 08/16] Update ldap-parameters.md
---
docs/ldap-parameters.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index b874cf810..f976462dd 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -73,6 +73,9 @@ The different fields are described in the table below.
| `misses` | The number of `mapUserToDN` lookups not served from the cache since the last cache invalidation.
A miss occurs when an entry is missing or has expired.
This counter resets to `0` whenever the cache is invalidated. |
| `invalidations` | The total number of cache invalidations since server startup.
This value increases whenever `ldapUserToDNMapping`, `ldapUserToDNCacheSize`, or `ldapUserToDNCacheTTLSeconds` is changed using `setParameter`.
Unlike `hits` and `misses`, this counter does not reset.
The initial cache creation during startup is not counted as an invalidation. |
+!!! note
+ The `hits` and `misses` counters reset to `0` on each cache invalidation. `invalidations` never resets.
+
### Calculate the cache hit rate
You can calculate the hit rate for the current cache generation using the following command:
@@ -85,8 +88,9 @@ var hitRate = total > 0 ? c.hits / total : null;
A higher hit rate means more LDAP userToDN lookups are served from cache, reducing requests to the LDAP server.
-Monitor invalidations together with hits and misses. If hits and misses suddenly drop to low values and invalidations increase, this usually indicates that an LDAP-related runtime parameter was changed. It does not necessarily indicate degraded cache performance.
-
+!!! note
+ If `hits` and `misses` drop sharply and `invalidations` increases, an LDAP-related runtime parameter was likely changed. This does not necessarily indicate degraded cache performance.
+
### Related parameters
| **Parameter** | **Description** |
From a089f2e8c90fb4c8a62134067eb8b4fdcd64db43 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:29:30 +0530
Subject: [PATCH 09/16] Update ldap-parameters.md
---
docs/ldap-parameters.md | 26 +++++++++-----------------
1 file changed, 9 insertions(+), 17 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index f976462dd..9606f7aa1 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -3,9 +3,9 @@
Percona Server for MongoDB provides a set of configuration parameters to enable and fine-tune LDAP authentication and authorization.
-## User-to-DN cache parameters
+## userToDN cache parameters
-To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP user-to-DN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
+To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP userToDN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
For more details on configuring user-to-DN mapping, see [LDAP authorization](authorization.md#username-transformation) and [Set up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
@@ -61,17 +61,17 @@ db.serverStatus().ldap.userToDNCache
}
```
-The different fields are described in the table below.
+The following table describes the fields returned in the `ldap.userToDNCache` document.
| **Field** | **Description** |
|-------|-------------|
| `enabled` | Indicates whether the LDAP user-to-DN cache is active.
The cache is disabled when either `ldapUserToDNCacheTTLSeconds` or `ldapUserToDNCacheSize` is set to `0`.
When disabled, all user-to-DN lookups are sent directly to the LDAP server. |
-| `maxSize` | The maximum number of username-to-DN mappings that can be stored in the cache.
Corresponds to the `ldapUserToDNCacheSize` server parameter.
When the cache reaches this limit, the least recently used entry is evicted to make room for a new one. |
-| `currentSize` | The current number of username-to-DN mappings stored in the cache. |
+| `maxSize` | The maximum number of `username-to-DN mappings` that can be stored in the cache.
Corresponds to the `ldapUserToDNCacheSize` server parameter.
When the cache reaches this limit, the least recently used entry is evicted.|
+| `currentSize` | The current number of `username-to-DN` mappings stored in the cache. |
| `ttlSeconds` | The time-to-live (TTL) for cache entries, in seconds.
Corresponds to the `ldapUserToDNCacheTTLSeconds` server parameter.
Entries older than this value are treated as expired and are not served from the cache. |
-| `hits` | The number of `mapUserToDN` lookups served from the cache since the last cache invalidation.
This counter resets to `0` when the cache is invalidated, for example after changing `ldapUserToDNMapping`, `ldapUserToDNCacheSize`, or `ldapUserToDNCacheTTLSeconds` using `setParameter`.
A successful LDAP authentication may perform two internal `mapUserToDN` lookups (during SASL bind and role resolution), increasing this counter by up to `2` per login. |
-| `misses` | The number of `mapUserToDN` lookups not served from the cache since the last cache invalidation.
A miss occurs when an entry is missing or has expired.
This counter resets to `0` whenever the cache is invalidated. |
-| `invalidations` | The total number of cache invalidations since server startup.
This value increases whenever `ldapUserToDNMapping`, `ldapUserToDNCacheSize`, or `ldapUserToDNCacheTTLSeconds` is changed using `setParameter`.
Unlike `hits` and `misses`, this counter does not reset.
The initial cache creation during startup is not counted as an invalidation. |
+| `hits` | The number of `mapUserToDN` lookups served from the cache since the last cache invalidation.|
+| `misses` | The number of `mapUserToDN` lookups not served from the cache since the last cache invalidation.
A miss occurs when an entry is missing or has expired.|
+| `invalidations` | The total number of cache invalidations since server startup.
Unlike `hits` and `misses`, this counter does not reset.
|
!!! note
The `hits` and `misses` counters reset to `0` on each cache invalidation. `invalidations` never resets.
@@ -86,18 +86,10 @@ var total = c.hits + c.misses;
var hitRate = total > 0 ? c.hits / total : null;
```
-A higher hit rate means more LDAP userToDN lookups are served from cache, reducing requests to the LDAP server.
+A higher hit rate means more LDAP `userToDN` lookups are served from cache, reducing requests to the LDAP server.
!!! note
If `hits` and `misses` drop sharply and `invalidations` increases, an LDAP-related runtime parameter was likely changed. This does not necessarily indicate degraded cache performance.
-
-### Related parameters
-
-| **Parameter** | **Description** |
-|:----------|:------------|
-| `ldapUserToDNCacheSize` | Maximum number of cache entries. The default value is `10000`. Set to `0` to disable the cache. |
-| `ldapUserToDNCacheTTLSeconds` | Time-to-live (TTL) for cache entries, in seconds. The default value is `30`. Set to `0` to disable the cache. |
-| `ldapUserToDNMapping` | JSON mapping rules used to map LDAP usernames to Distinguished Names (DNs). Changing this parameter at runtime invalidates the cache. |
From b67638dcc0a3509f2302aa40c9aa5abb4cf87586 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:30:28 +0530
Subject: [PATCH 10/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 83d9a1928..f974476a8 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -24,7 +24,7 @@ The cache is controlled by the following server parameters:
The cache is automatically invalidated when any of the following parameters change at runtime:
-| **Parameter**| **Required** | **Description** |
+| **Parameter** | **Required** | **Description** |
|--------------|----------|---------------------|
| `ldapUserToDNMapping` | Yes | Rules for mapping usernames to LDAP DNs. |
| `ldapUserToDNCacheTTLSeconds` | No | Changing the TTL value clears the cache. |
From d3c87f19d722dcccbcc42e55bb348aac2149a427 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:33:08 +0530
Subject: [PATCH 11/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index f974476a8..a2d5c1767 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -80,7 +80,7 @@ The following table describes the fields returned in the `ldap.userToDNCache` do
You can calculate the hit rate for the current cache generation using the following command:
-```sh
+```javascript
var c = db.serverStatus().ldap.userToDNCache;
var total = c.hits + c.misses;
var hitRate = total > 0 ? c.hits / total : null;
From a70c88b6d2e37e5bffa09008e94ff22ab8f1c043 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:33:46 +0530
Subject: [PATCH 12/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index a2d5c1767..2d5a17a00 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -51,13 +51,13 @@ db.serverStatus().ldap.userToDNCache
??? example "Output"
```{.json .no-copy}
{
- "enabled": true,
- "maxSize": 10000,
- "currentSize": 42,
- "ttlSeconds": 30,
- "hits": 1847,
- "misses": 63,
- "invalidations": 2
+ "enabled": true,
+ "maxSize": 10000,
+ "currentSize": 42,
+ "ttlSeconds": 30,
+ "hits": 1847,
+ "misses": 63,
+ "invalidations": 2
}
```
From a679b0e9ab5e3531d46fea94f0df03b16e8e3925 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Jun 2026 07:06:58 +0000
Subject: [PATCH 13/16] Fix Required column consistency in LDAP invalidation
table
---
docs/ldap-parameters.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 2d5a17a00..7ec4dbc1a 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -30,8 +30,8 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapUserToDNCacheTTLSeconds` | No | Changing the TTL value clears the cache. |
| `ldapUserToDNCacheSize` | No | Changing the cache size clears the cache. |
| `ldapServers` | Yes | Comma-separated list of LDAP servers to connect to. |
-| `ldapQueryUser` | optional | Distinguished Name (DN) of the user used to perform LDAP queries. |
-| `ldapQueryPassword` | optional | Password for the query user. |
+| `ldapQueryUser` | No | Distinguished Name (DN) of the user used to perform LDAP queries. |
+| `ldapQueryPassword` | No | Password for the query user. |
## Monitor userToDNCache
From 48f849e94467edae938b8621d9bb892e06316857 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:37:27 +0530
Subject: [PATCH 14/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 7ec4dbc1a..022b63743 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -71,7 +71,7 @@ The following table describes the fields returned in the `ldap.userToDNCache` do
| `ttlSeconds` | The time-to-live (TTL) for cache entries, in seconds.
Corresponds to the `ldapUserToDNCacheTTLSeconds` server parameter.
Entries older than this value are treated as expired and are not served from the cache. |
| `hits` | The number of `mapUserToDN` lookups served from the cache since the last cache invalidation.|
| `misses` | The number of `mapUserToDN` lookups not served from the cache since the last cache invalidation.
A miss occurs when an entry is missing or has expired.|
-| `invalidations` | The total number of cache invalidations since server startup.
Unlike `hits` and `misses`, this counter does not reset.
|
+| `invalidations` | The total number of cache invalidations since server startup.
Unlike `hits` and `misses`, this counter does not reset. |
!!! note
The `hits` and `misses` counters reset to `0` on each cache invalidation. `invalidations` never resets.
From ae316b354dd50f516b1e125cd5fed3d6cf0d85d2 Mon Sep 17 00:00:00 2001
From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:37:46 +0530
Subject: [PATCH 15/16] Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 022b63743..2c763d3fa 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -5,7 +5,7 @@ Percona Server for MongoDB provides a set of configuration parameters to enable
## userToDN cache parameters
-To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP userToDN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
+To reduce the number of round trips to the LDAP server during authentication and authorization, Percona Server for MongoDB caches the results of LDAP user-to-DN mapping configured by `security.ldap.userToDNMapping` (exposed as `--ldapUserToDNMapping` at startup and `ldapUserToDNMapping` at runtime).
For more details on configuring user-to-DN mapping, see [LDAP authorization](authorization.md#username-transformation) and [Set up LDAP authentication and authorization using NativeLDAP](ldap-setup.md).
From d094737ba22f74f01ef0bc33a4943a4aabfcd5f3 Mon Sep 17 00:00:00 2001
From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
Date: Mon, 22 Jun 2026 12:12:20 +0530
Subject: [PATCH 16/16] Update ldap-parameters.md
---
docs/ldap-parameters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/ldap-parameters.md b/docs/ldap-parameters.md
index 2c763d3fa..eb0f21b39 100644
--- a/docs/ldap-parameters.md
+++ b/docs/ldap-parameters.md
@@ -30,7 +30,7 @@ The cache is automatically invalidated when any of the following parameters chan
| `ldapUserToDNCacheTTLSeconds` | No | Changing the TTL value clears the cache. |
| `ldapUserToDNCacheSize` | No | Changing the cache size clears the cache. |
| `ldapServers` | Yes | Comma-separated list of LDAP servers to connect to. |
-| `ldapQueryUser` | No | Distinguished Name (DN) of the user used to perform LDAP queries. |
+| `ldapQueryUser` | No | Username of the account used to connect to and query the LDAP server. |
| `ldapQueryPassword` | No | Password for the query user. |