Why does Artifactory authenticate user on every npm install request?

Question

We use Artifactory to store our local npm artifacts and to also cache the remote npm registry. To authenticate (with AD accounts) against Artifactory with npm, we use the basic authentication as proposed by the "Set Me Up" page from Artifactory. For example:

_auth = < username >:< password >
email = youremail@email.com
always-auth = true

This all works correctly, but there is one problem in that that Artifactory authenticates the user for every package that is downloaded. The artifactory.log log then looks like this (please note, output was redacted):

Trying to authenticate user 'user1' via ldap.
Attempting to bind as cn=user1,ou=someou,ou=ou1,ou=ou2,ou=ou3,dc=internal,dc=comp,dc=int
Retrieving attributes...
'user1' authenticated successfully by ldap server.
Loading LDAP groups
Finished Loading LDAP groups
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Trying to authenticate user 'user1' via ldap.
Attempting to bind as cn=user1,ou=someou,ou=ou1,ou=ou2,ou=ou3,dc=internal,dc=comp,dc=int
...

As I mentioned, authentication works and the artifact is also downloaded but this constant authentication for every artifact can sometimes cause a timeout with the the LDAP server:

Failed to authenticate user 'user1' using ldap.
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: LDAP response read timed out, timeout used:10000ms.
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:285)
    at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:119)
    at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:138)
    at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:791)
    ...

This then causes the artifact which was being downloaded at that point in time to fail to download, causing our build to fail.

So, my question is why does this happen and is there a way to avoid this as it also puts load on our LDAP server every time we run our build jobs?

Answer 1

Since every request for a package is a separate request and not part of one long transaction which can be identified, Artifactory must authenticate the user. Think about a scenario were the same user is sending requests from multiple hosts, how do you make sure that it has the right credentials?

Having said that, Artifactory has a cache mechanism to cache data about authentication against external systems such as LDAP for REST API requests. You can tune this cache in order to decrease the amount of requests sent to the LDAP server by setting the artifactory.security.authentication.cache.idleTimeSecs Artifactory system property.
For more info, please look at Managing Security with LDAP