Geek Answers Handbook

What is the easiest (e.g. least complicated) LDAP operation

I implemented a pool for LDAP connections using the Apache shared pool. I cannot use the join function provided by JNDI (http://download.oracle.com/javase/jndi/tutorial/ldap/connect/pool.html) because I am using an SSL connection (using a special (provided by Oracle) the factory socket ( java.naming.ldap.factory.socket env value set, which disqualifies the context from the JNDI pool) to the LDAP server, and therefore the union tool inside JNDI is automatically disabled even if the corresponding union property is set.

Now it comes to the point that the pool with the InitialDirContext instance InitialDirContext returned to the pool and should be checked for its suitability and has not been closed by the user or lost connection to the LDAP server for other reasons.

Here I look at the DN of a specific user who is known to exist:

  final InitialDirContext ctx = internalPooledLDAPConnection.getCtx(); final Subscriber sub = internalPooledLDAPConnection.getSub(); SearchControls ctls = new SearchControls(); ctls.setSearchScope(2); ctls.setReturningAttributes(new String[] { "dn"}); NamingEnumeration resultSet = ctx.search(sub.getUserSearchBase()[0], "(&(objectclass=*)(uid=orcladmin))", ctls);

In case this operation does not raise any exceptions, then the InitialDirContext inside my internal merged Ldap connection can still be used and can be safely issued from the pool for reuse.

However, I am wondering if this is the "cheapest" connection health check that can be done here, or is there a much cheaper LDAP operation that I could use instead.

+4
source share
5 answers

An LDAP comparison operation is likely to be more efficient than a search because there is only one answer (for a search matching the record, you will have two answers: one for the record and the second to indicate the end of the search results).

However, you can also consider alternatives to JNDI, as it provides a well-known API for LDAP. There are other Java libraries for performing LDAP communications that are much better than JNDIs. In particular, the UnboundID LDAP SDK for Java (for which I am a developer) provides a rich, easy-to-use, high-performance API for LDAP communications. It has rich pooling capabilities, including health checks, fault tolerance, and load balancing. See http://www.unboundid.com/products/ldap-sdk/docs/advantages/comparison.php for a comparison of the features offered by the UnboundID LDAP SDK with JNDI and the Netscape Directory SDK for Java.

+3
source

LDAP binding is about as simple as you can get. This is the reconnect () method in JNDI.

However, there must be doubts about what you are doing. If the pool is disabled through SSL, there must be security reasons for this, so you need to do your own security analysis when developing your own pool.

+2
source

I had a similar problem (I rolled up my own pool). My approach was to expect any combined connection to be dead. I let my pool make a request twice: for the first time it may fail, so reconnect and try again, but the failures of the second attempt are real and propagate upward.

To summarize, instead of using a specific ping request, I allow my own application requests to act as potential pins.

As for the cheap request, it is probably pretty cheap! You may not even need to be attached to this - I cannot remember.

 // The rootDSE attributes, Microsoft Active Directory Attributes attrs = ldapContext.getAttributes(""); String ldapRootDN = (String) attrs.get("rootDomainNamingContext").get(0);
+2
source

We use validation to control 0.0.0.0.0, which of course never existed to verify if the connection is active. As far as I remember, the OpenLDAP (jldap) call looks like this. Since rootDSE for controls is generally allowed to be anonymous, this checks if the connection is good, but does not check the binding status.

+2
source

Why not send an incorrect search for an unknown or garbage attribute. The whole point is just ping, not the actual process.

+1
source

More articles:


All Articles