IdP use of LDAP and connection pooling

Daniel Fisher dfisher at
Fri Sep 9 15:12:07 BST 2011

On Fri, Sep 9, 2011 at 4:30 AM, Manuel Haim <haim at> wrote:

> Hi Scott,
> just my two cents here...
> A bottleneck, however, appears to be in the LDAP JAAS login module at
> login time (see login.config). By default, the SearchDnResolver (which
> resolves the user's DN according to the specified userFilter) never does
> connection pooling, thus the IdP always performs an LDAP BIND here where
> it could keep the connection open. We replaced the SearchDnResolver by a
> static one for test purposes, and our IdP cluster now handled about
> twice as much logins per second. (The IdP is not "blocked" by the LDAP
> BINDs, but maybe the number of threads or network connections is at a
> limit here?!)
> This issue has been reported at:
Support for pooling LDAP connections for authentication will definitely be
supported in IDP v3. I can't guarantee it will ever be formally supported in
IDP v2, I'll just have to see how the code shakes out.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list