directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Oerding <>
Subject Re: Writing / integrating LDAP server
Date Wed, 17 Sep 2014 11:56:20 GMT
Hello Kiran,

thanks for your great reply even outlining the code for an interceptor. 
Actually I haven't really started digging into implementing an 
interceptor but I will do so after writing this mail. However currently 
there are two points left open for me.

1) Reading the outlined code to the line
q.add(new MyCustomCertRequest(.....));
(did the negation / notEmpty were exchanged?) I do not understand how 
responding to a client is delayed until the certificate is available in 
the fallback case (or do I have to insert it into the cursor).

2) Due to my requirements the certificates (only X.509 certificates with 
X.509 extension SubjectKeyIdentifier) are requested by the 
subjectKeyIdentifier. Furthermore the revocation state for certificates 
may be set by LDAP requests and certificates may be stored in the LDAP. 
Except this requests no other requests are valid. Hence if I write an 
interceptor and have a chain of this component, I end up with a chain of 
Apache DS instances. Each instance in this chain will for example do the 
same verification on the request and so on. Hence I would expect this 
approach leading to a huge performance overhead (notice the worst case 
szenario of over 2.400.000 requests each 900 seconds). Furthermore there 
are other considerations which may prevent using an interceptor. Hence I 
wonder how much it would took me to write a minimal / pseudo LDAP server 
which only is capable of the two specified request types and nothing 
else. However having read RFC 4510, 4511 and having taken a look into 
related RFCs I do not want to implement even "only" an own pseudo server 
from scratch  by myself. Thus the question remained whether there is 
some stuff I can take from the Apache DS / related projects to simply 
listen for incoming requests, do my simple parsing and depending on the 
request, forward it to the LDAP server, return the response if there is 
any and one is expected or fallback to the 3rd party system if no 
certificate is found on the LDAP server. In the latter case I want to 
take the response from the 3rd party system, store it on the server and 
transmit the response to the client as LDAP PDUs according to the request.

Can you provide any information about this issue?


View raw message