On Dec 6, 2012, at 12:50 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
> To: security-dev(a)lists.jboss.org
> Sent: Thursday, December 6, 2012 12:06:03 AM
> Subject: [security-dev] IDM: LDAP Custom Attributes
>
> Pedro,
> we had discussions on performance associated in querying custom
> attributes in the LDAP implementation. I realized that since we will
> have an identity cache operating in the IDM layer. The cache needs to
> have LRU entries (or whatever policy that gets configured) thus
> avoiding
> round trips to the Identity Store.
You're right, one of the biggest challenges is how to perform well when querying
attributes that are not part of the LDAP schema. Those attributes are not searchable and
we need to make most of the query logic inside the store.
In case of LDAP I would really allow only attributes mapped previously in the store
configuration. There are too many scenarios - like some are readOnly and managed by the
server (memberOf). LDAP is also not flexibly used store because of enforced schema so it
is a valid constraint - simplifies a lot. For custom attributes stored in serialised
manner I would simply not allow to use them in queries or ignore in such. Simplifies a
lot.
>
> Bolek had opined about the use of LDAP entry change notifications to
> update the IDM cache. This is when the admin may have used some form
> of
> LDAP browser to update the entries or update happens via software not
> controlled by IDM.
>
Ok, going to consider that too.
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/security-dev
>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev