directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: [ApacheDS] Bind performance
Date Mon, 17 Jul 2006 05:05:59 GMT
Noel J. Bergman wrote:
> Alex,
> In many real-world cases, e.g., application servers binding to LDAP, you are
> going to see a small number of frequently re-used credentials.  Judging from
> your results, it appears that performance would benefit greatly from
> exposing a credential cache closer to the bind code.  A trigger, for
> example, could be used to invalidate the credential cache entry, which
> addresses the issue of stale cache entries.

This is a *really* good idea!  Doing this correctly is not that easy 
after some thought.  I know I was enthusiastic over the phone but I 
realized some issues due to the design.

I'm a bit upset because DN normalization, and the fact that other kinds 
of binds get in the way of doing this easily with the big bang we're 
hoping for.  I'm afraid the best we can do is maintain a credential 
cache in the SimpleAuthenticator yet this is deep inside the core and 
not as close to the front-end code.  If the front-end's BindHandler 
could do this correctly then the performance would go through the roof.

BTW the check's to invalidate this cache need to be managed using the 
modify() method of the AuthenticationService (Interceptor) in the core. 
It can call invalidateCredentials( LdapDN ) on the SimpleAuthenticator.

It's possible to do this to improve performance by preventing certain 
recurrent lookups.  But this is will give us less of a performance gain 
than just doing it in the BindHandler :(.  It is however more correct to 
do it in the SimpleAuthenticator.


View raw message