LDAP recovery?

Cantor, Scott cantor.2 at osu.edu
Wed Apr 10 15:02:28 EDT 2019

On 4/10/19, 2:45 PM, "users on behalf of Paul B. Henson" <users-bounces at shibboleth.net on behalf of henson at cpp.edu> wrote:

> You say we will have to eventually, but the URL you reference says "Until JNDI is fixed the following instructions can be
> used to work around the bug" which seems like this is a temporary change pending an upstream fix, as opposed to a
> long-term permanent change in recommendation?

There's no evidence it will ever be fixed or not, or in which JDKs, and even if there were, JNDI has had enough bugs now to be moved to the "don't trust" list, so I agreed with others on the team that we should make the move by default. The ldaptive authors run with UnboundID in production and have for a long time, so it has a track record.

I don't think it's your problem though, from what Daniel said.

> The idp build itself includes ldaptive-1.0.13.jar, if the new recommended configuration is to use the unboundid provider
> with it, will there be a new version of the idp released that also bundles those required jars rather than requiring them
> to be added by everyone locally, and selects that provider in code rather than requiring a jdk cli option?

Yes, the next patch is doing that, but it won't switch by default in V3, just provide the jars and a property you can override to change it without touching the container or any startup scripts.

We may change the default in V4, almost certainly for new installs, but it's not decided yet.
-- Scott

More information about the users mailing list