directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: Writing / integrating LDAP server
Date Wed, 17 Sep 2014 10:23:19 GMT
On Wed, Sep 17, 2014 at 1:54 PM, Sebastian Oerding <> wrote:

> Hello,
> Hi Sebastian,

> I have very specific requirements. We want to use a LDAP server for
> storing X.509 certificates. At runtime certificates are requested from the
> LDAP server. However there will be the case that a certificate is unknown
> by the server. In this case the certificate is requested from a 3rd pary
> system, stored into the LDAP server to avoid the fallback for future
> requests, and returned to the client originally requesting the certificate.
> so, to be clear that we are on same page, when the certificate is
retrieved from 3rd party source
it will be stored into the LDAP server before/after returning, right?

> Hence I wonder to write a component forwarding client requests to a
> connected LDAP server and falling back to the other approach in case of no
> result on the LDAP. However this means I have to be able to "speak" the
> LDAP protocol at least to return data obtained from the fallback approach
> as proper LDP protocol data units or to forward responses from the LDAP
> back to the client. The Java classes make it really simple to "unwrap"
> data, for example to get a requested certificate as byte[] but this gives
> no hint to me how to "wrap" the data into proper LDAP responses.
> Unfortunately Google gives no search result providing held in writing a
> LDAP server in Java. Can someone provide help by giving information about a
> specific package to look into the Apache DS source code? It would also
> appreciate other approaches. However my component must be chainable. Thus
> extending the Apache DS by self written interceptors may be a problem due
> to possible performance overhead (not offending but having the complete
> logic of the server in each step of a chain feels like an overkill and we
> may produce a high load such as 2.400.000 requests every 900 seconds).
> Any useful hints?
> unless you have control over your client, the only way with ApacheDS is to
add a custom
interceptor and overwrite the search() operation.

The implementation will be like:

Note that I used a async mode to fetch and store the missing certs, to
avoid possible delays per each
local search that found zero certs. You may make it synchronous as per your

   public class X509SearchInterceptor extends BaseInterceptor
        public void init( DirectoryService directoryService ) throws
          super.init( directoryService );
          // initialize a queue that holds the search requests for which no
certs wee found
          LinkedBlockingQueue queue = .....

          // and start a thread to process the messages pushed to this
queue from the search method

    public EntryFilteringCursor search( SearchOperationContext
searchContext ) throws LdapException
        // first let the search complete
        EntryFilteringCursor cursor = next( searchContext );

        // but before returning the cursor to read the entries
        // check if the cursor has any entries

        boolean notEmpty =;

          // reset the cursor position
            // push the search details to the queue for async processing of
            // from 3rd party source and storing in LDAP
            q.add(new MyCustomCertRequest(.....));

        // continue
        return cursor;

With kind regards
> Sebastian

Kiran Ayyagari

View raw message