archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deng Ching <och...@apache.org>
Subject Re: Archiva issue with LDAP (MRM-1488)
Date Fri, 26 Aug 2011 07:03:49 GMT
Made a few more changes to the fix. I removed the caching of the ldap
connection as that might also pose a security issue. I configured connection
pooling when Sun's ldap context factory is used (thanks Brent!) then just
cached the ldap users' userDn to minimize the lookups to the LDAP server
during authn bind.

With these changes in, 'clean install' on archiva-parent now took 7:03.851s
in my local.

-Deng

On Fri, Aug 26, 2011 at 12:04 PM, Deng Ching <oching@apache.org> wrote:

> It was the former Brett. Right, I didn't think about closing the
> resources.. thanks for pointing that out :)
>
> I'll do some testing on this. I'm actually thinking about reverting back
> the authentication part to not use the cache and only have the ldap users
> cached, I have to check though how big the difference would be in the builds
> if that would be the case since I think it's the find/search for user that's
> taking a while.
>
> Thanks,
> Deng
>
> On Fri, Aug 26, 2011 at 11:47 AM, Brett Porter <brett@apache.org> wrote:
>
>> Did you do this with ehcache or the technique Brent outlined? If it's the
>> former, I'm worried about it not closing the resources - we should test it
>> with a lot of concurrent different users.
>>
>> On 26/08/2011, at 12:57 PM, Deng Ching wrote:
>>
>> > I made some changes to the impl, btw. Instead of just caching the ldap
>> > users, I've also cached the ldap connections. Not all ldap servers
>> return a
>> > hashed password (some return just a masked string, eg. ******) for the
>> > userPassword attribute of an ldap user so we can't do a comparison on
>> it.
>> > You need to bind to the ldap server to authenticate, so I just cached
>> the
>> > ldap connection of a user. For the ldap connections, I've set the TTL to
>> > 15secs., then 2 mins. TTL for the ldap users.
>> >
>> > I ran a 'clean install' on archiva-parent against an Archiva repo using
>> JDO
>> > and LDAP for authentication, and these are the results:
>> > - JDO: 7:04.998s
>> > - LDAP: 7:17.382s
>> >
>> > Thanks,
>> > Deng
>> >
>> > On Thu, Aug 25, 2011 at 10:07 AM, Deng Ching <oching@apache.org> wrote:
>> >
>> >> On Thu, Aug 25, 2011 at 1:44 AM, Brent Atkinson <
>> brent.atkinson@gmail.com>wrote:
>> >>
>> >>> Hi everyone,
>> >>>
>> >>> I actually ran into this when fixing the connection leaks. I realized
>> it
>> >>> was
>> >>> probably building in too many assumptions, but I created and held onto
>> the
>> >>> LdapCtxFactory in redback's LdapConnection for a very specific reason:
>> >>> connection pooling. The sun JNDI ldap implementation can pool
>> connections
>> >>> sharing the same credentials *and config options* as long as they are
>> >>> created from the same LdapCtxFactory.
>> >>>
>> >>>
>> http://download.oracle.com/javase/jndi/tutorial/ldap/connect/pool.html
>> >>>
>> >>>
>> >> Thanks Brent! We'll look into that.
>> >>
>> >>
>> >>> On Wed, Aug 24, 2011 at 8:57 AM, Wendy Smoak <wsmoak@gmail.com>
>> wrote:
>> >>>
>> >>>> On Wed, Aug 24, 2011 at 2:45 AM, Deng Ching <oching@apache.org>
>> wrote:
>> >>>>
>> >>>>> We're planning to use EhCache for this so we can also set a
TTL
>> >>>>> (time-to-live) for the cached objects. A password change done
from
>> the
>> >>>>> webapp would flush the user in the cache.
>> >>>>
>> >>>> If you're using LDAP, would users be doing password changes from
the
>> >>>> webapp?
>> >>>>
>> >>>> Making that TTL configurable by the admin would be good, then they
>> can
>> >>>> trade off between extra calls to LDAP and 'how come my new password
>> >>>> doesn't work?'.
>> >>>
>> >>
>> >> Agreed. We'll add this functionality as well :)
>> >>
>> >> Thanks,
>> >> Deng
>> >>
>>
>> --
>> Brett Porter
>> brett@apache.org
>> http://brettporter.wordpress.com/
>> http://au.linkedin.com/in/brettporter
>>
>>
>>
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message