IdP 3 ldap authent vs resolving
Youssef GHORBAL
youssef.ghorbal at pasteur.fr
Fri Apr 1 18:24:51 EDT 2016
> On 31 Mar 2016, at 01:38, Youssef Ghorbal <youssef.ghorbal at pasteur.fr> wrote:
>
> Hello,
>
> Just quick assertions to verify if I got things right.
> - By default LDAP auth connections are poold and pool default settings are handled by idp.pool.LDAP.xxxx properties.
My testings are showing that this is true (tcpdump). Authentication uses one of the pool member connection
But for attribute resolution, it’s a new connection that is created (and closed) each time.
What I can’t understand is that tcpdump is showing 6 active connections to the AD server, but the log is clearly saing :
2016-04-02 00:07:15,074 - DEBUG [org.ldaptive.pool.BlockingConnectionPool:825] - pool size after validation is 3
So I’m expecting to see only 3 tcp connections. Am I missing something ?
> - The LDAP Connector example provided in the attribute-resolver-ldap.xml is not poold. To make it pool you have to add a <ConnectionPool> element as described here :
> https://wiki.shibboleth.net/confluence/display/IDP30/ConnectionPool
> - The <ConnectionPool> for LDAP resolving Connector can use idp.pool.LDAP.xxxx properties (same ones for auth)
Not really, it seems to be some magic for the pool creation for auth that translates seconds/minutes to ISO period format. Using idp.pool.LDAP.blockWaitTime directly in a <ConnectionPool> (<dc:ConnectionPool blockWaitTime=%{idp.pool.LDAP.blockWaitTime} … ) will raise an exception for example.
Youssef
More information about the users
mailing list