directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Isenhour, Justin" <>
Subject [ApacheDS] How to clear cached authentication on change of custom attribute
Date Wed, 06 Dec 2017 13:16:21 GMT
We have a use case where we need to have a custom status attribute for user identities.  We
also have created a custom authentication interceptor that will check the status attribute
on bind, depending on the status we will throw a LdapAuthenticationException and report the
status in the message.  Our SSO solution is then using this during the authentication process.
 This is all working as needed.  The issue we run into is related to the caching policies
within ApacheDS.  The first time a user identity attempts to login into our SSO application
the bind event is triggered and the status is checked, after that the result of the bind is
cached, the next time the user logs in the bind event is not triggered, because of this if
the users status is changed after they have logged in then that new status is not reported
until the cache clears.  After reviewing the ApacheDS code I see there is some logic within
ApacheDS to remove the user object from cache when the users password is changed, is there
a way to also do this for a custom attribute like we have for status either through configuration
or through custom code? If we have to we will set the expectation with our customers that
any changes to status could take up to x amount of time to take effect but I would prefer
to have these changes be real time if possible.  Also what is the caching time for authentication
and does it use sliding expiration? Thank you in advance.

Justin Isenhour | Lead Developer, Systems and Technology Group | Compass Group USA |  2400
Yorkmont Road | Charlotte, NC 28217 | 704.328.5804 |<>


  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message