IdP 3 ldap authent vs resolving

Cantor, Scott cantor.2 at
Fri Apr 1 18:59:03 EDT 2016

> > 	Just quick assertions to verify if I got things right.
> > 	- By default LDAP auth connections are poold and pool default
> settings are handled by idp.pool.LDAP.xxxx properties.
> My testings are showing that this is true (tcpdump). Authentication uses one
> of the pool member connection
> But for attribute resolution, it’s a new connection that is created (and closed)
> each time.

Let's be clear: properties are never the *actual* setting of anything. The properties are always plugged into a bean. If that's a system bean, it means that the only supported way of configuring something is the property, but if the bean is in a user file, then the property is strictly a convenience you can take or leave. The majority of properties are used in user space, so are entirely ignorable/removeable. It's personal preference.

I increasingly dislike them as a deployer, but they are very useful to federations that are delivering customized "config sets".

> So I’m expecting to see only 3 tcp connections. Am I missing something ?

If the pool has a large max size or is a type of pool that keeps growing, I don't think the initial pool size has anything to do with the size at some other point in time.

> Not really, it seems to be some magic for the pool creation for auth that
> translates seconds/minutes to ISO period format. Using
> idp.pool.LDAP.blockWaitTime directly in a <ConnectionPool>
> (<dc:ConnectionPool blockWaitTime=%{idp.pool.LDAP.blockWaitTime} … )
> will raise an exception for example.

If you're talking about duration syntax, if anything that would work in the resolver and not in the authentication beans.

-- Scott

More information about the users mailing list