LDAPS Connection Pooling

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAPS Connection Pooling

David Quiroga
Hello

The default value of com.sun.jndi.ldap.connect.pool.protocol is plain, meaning that "SSL" connections are not pooled. 

https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html

It seems like Shiro relies on com.sun.jndi.ldap in some cases. 

Does anyone know if Shiro when connection pooling enabled will also pool "SSL" connections or will it rely on the default?

Hope that makes sense. Please let me know if clarification is needed. 

Thank you for your time. 
-David 


Reply | Threaded
Open this post in threaded view
|

Re: LDAPS Connection Pooling

David Quiroga
Been doing some research...

Findings:

org.apache.shiro.realm.ldap.JndiLdapContextFactory.java
isPoolingEnabled() and setPoolingEnabled()

* However, pooling will only actually be enabled if this property is {@code true} <em>and</em> the connection
* being created is for the {@link #getSystemUsername() systemUsername} user. Connection pooling is not used for
* general authentication attempts by application end-users because the probability of re-use for that same
* user-specific connection after an authentication attempt is extremely low.

So connection pooling only applies to the systemUsername/AD bind user

I didn't see that the protocol was changed to include SSL inside the code, but there was a reference to https://issues.apache.org/jira/browse/SHIRO-305 in a test cases
which involves the protocol setting. 

Conclusion: 
If the systemUsername is running many searches the property should probably be updated. 
Don't have any strong evidence that anything should be changed from the default. 

But here is another article involving com.sun.jndi.ldap.connect.pool.protocol



On Wed, Dec 27, 2017 at 10:48 AM, David Quiroga <[hidden email]> wrote:

>
> Hello
>
> The default value of com.sun.jndi.ldap.connect.pool.protocol is plain, meaning that "SSL" connections are not pooled.
>
> https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
>
> It seems like Shiro relies on com.sun.jndi.ldap in some cases.
>
> Does anyone know if Shiro when connection pooling enabled will also pool "SSL" connections or will it rely on the default?
>
> Hope that makes sense. Please let me know if clarification is needed.
>
> Thank you for your time.
> -David
>
>