Issue with large HTTP headers for ECP authentication

Peter Schober peter.schober at
Wed Dec 12 10:01:50 EST 2018

* Cantor, Scott <cantor.2 at> [2018-12-12 15:38]:
> >  (3) Then in attribute-resolver.xml, we removed the <ReturnAttributes> line in the DataConnector for LDAP.
> You certainly *can*, but that will obviously cause it to return
> everything, which may be unnecessary. Usually it's best to enumerate
> what you want from it to control the "namespace" of internal
> attribute names floating around the resolver.

The thing with LDAP is that if you want the server to also return at
least one operational attribute you'll have to ask for it, which then
means you'll have to either numberate all the ordinary attributes, too
(unless you resort to asking for everything, which is what Carl did.)

But good netizens only ask for what they need (and properly
configuired servers only given them what they need access to), so
unless there are dozens and dozens of attributes you need to pull into
the resolver it's probably good to list what you need (and edit and
reload the resolver of that changes, which is fast and painless).

> Whether it's preferred to do it inline or in a property is style,
> but I think properties ended up overused with the resolver

I'm fine with the connection details being in properties, that makes
sharing or copy/pasting or defaulting configuration much easier.

> I don't personally care for the lack of locality of reference, not
> to mention losing reloadability.



More information about the users mailing list