Bulk requests like LdapMember#getLdapGroups led to many members with the same expiration, which in turn caused LDAP roundtrip peaks when they expired. Now, the LdapUserProvider (esp. the SimpleActiveDirectoryUserProvider and the ActiveDirectoryUserProvider ) deskew their members' expirations by a random factor up to 10% of the configured com.coremedia.ldap.expiration in order to equalize invalidations over time. I.e. if you configure an expiration of 3600s (one hour, default), a member may not be refreshed up to 3960s. If the exact maximum expiration is important in your project, you should lower your com.coremedia.ldap.expiration value accordingly.

Deprecated UserProvider#getExpirationSeconds

... because it is not needed any longer. Possible overridings for the LdapUserProvider remain effective for compatibility. However, the method is logically related to com.coremedia.ldap.expiration , which is also used internally. Thus, overriding the method is no good idea and you should rather stick to setting the property.