Using the ObjectChangeListener API from JNDI, on supported LDAP servers and Active Directory (the MS version definitely supports this at least), user and group objects that get modified should be used to either update the internal UserDetails/GroupDetails caches or to know which cache keys to evict if updating the cache from the event is too complicated. This will help balance the needs of caching performance with more accurate data.