directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: Writing / integrating LDAP server
Date Wed, 17 Sep 2014 16:39:16 GMT
On Wed, Sep 17, 2014 at 5:26 PM, Sebastian Oerding <> wrote:

> Hello Kiran,
> thanks for your great reply even outlining the code for an interceptor.
> Actually I haven't really started digging into implementing an interceptor
> but I will do so after writing this mail. However currently there are two
> points left open for me.
> 1) Reading the outlined code to the line
> q.add(new MyCustomCertRequest(.....));
> (did the negation / notEmpty were exchanged?) I do not understand how
> responding to a client is delayed until the certificate is available in the
> fallback case (or do I have to insert it into the cursor).
>  nah, that pseudo code is describing a scenario where when a cert is not
found then
server will not wait till you fetch the cert from a 3rd party server and

> 2) Due to my requirements the certificates (only X.509 certificates with
> X.509 extension SubjectKeyIdentifier) are requested by the
> subjectKeyIdentifier. Furthermore the revocation state for certificates may
> be set by LDAP requests and certificates may be stored in the LDAP. Except
> this requests no other requests are valid. Hence if I write an interceptor
> and have a chain of this component, I end up with a chain of Apache DS

are you referring to having multiple instances of ApacheDS? I don't see how
having a custom interceptor
leads to multiple ApacheDS instances, can you elaborate on what your idea

> instances. Each instance in this chain will for example do the same
> verification on the request and so on. Hence I would expect this approach
> leading to a huge performance overhead (notice the worst case szenario of
> over 2.400.000 requests each 900 seconds). Furthermore there are other
> considerations which may prevent using an interceptor. Hence I wonder how
> much it would took me to write a minimal / pseudo LDAP server which only is
> capable of the two specified request types and nothing else. However having
> read RFC 4510, 4511 and having taken a look into related RFCs I do not want
> to implement even "only" an own pseudo server from scratch  by myself. Thus
> the question remained whether there is some stuff I can take from the
> Apache DS / related projects to simply listen for incoming requests, do my
> simple parsing and depending on the request, forward it to the LDAP server,
> return the response if there is any and one is expected or fallback to the
> 3rd party system if no certificate is found on the LDAP server. In the
> latter case I want to take the response from the 3rd party system, store it
> on the server and transmit the response to the client as LDAP PDUs
> according to the request.
>  your custom interceptor can perform fetching from 3rd party store if
needed and store and return to user
 this will definitely have an impact on performance cause of the network
and I/O overhead.
 this is one reason I suggested you use asynch approach, but when a cert is
not present in the LDAP server
 then user will not receive it in the first request but in a subsequent
request, provided the interceptor's asynch
 thread fetches the cert from 3rd party and stores in LDAP server.

Can you provide any information about this issue?
> Sebastian

Kiran Ayyagari

View raw message