[security-dev] IDM: LDAP Custom Attributes

Pedro Igor Silva psilva at redhat.com
Thu Dec 6 08:15:41 EST 2012


----- Original Message -----
> From: "Boleslaw Dawidowicz" <bdawidow at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "Anil Saldhana" <Anil.Saldhana at redhat.com>, security-dev at lists.jboss.org
> Sent: Thursday, December 6, 2012 10:51:00 AM
> Subject: Re: [security-dev] IDM: LDAP Custom Attributes
> 
> 
> On Dec 6, 2012, at 12:50 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
> 
> > ----- Original Message -----
> >> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
> >> To: security-dev at lists.jboss.org
> >> Sent: Thursday, December 6, 2012 12:06:03 AM
> >> Subject: [security-dev] IDM: LDAP Custom Attributes
> >> 
> >> Pedro,
> >>    we had discussions on performance associated in querying custom
> >> attributes in the LDAP implementation. I realized that since we
> >> will
> >> have an identity cache operating in the IDM layer. The cache needs
> >> to
> >> have LRU entries (or whatever policy that gets configured) thus
> >> avoiding
> >> round trips to the Identity Store.
> > 
> > You're right, one of the biggest challenges is how to perform well
> > when querying attributes that are not part of the LDAP schema.
> > Those attributes are not searchable and we need to make most of
> > the query logic inside the store.
> 
> In case of LDAP I would really allow only attributes mapped
> previously in the store configuration. There are too many scenarios
> - like some are readOnly and managed by the server (memberOf). LDAP
> is also not flexibly used store because of enforced schema so it is
> a valid constraint - simplifies a lot. For custom attributes stored
> in serialised manner I would simply not allow to use them in queries
> or ignore in such. Simplifies a lot.

Totally agree, but from our last discussion Anil suggested to still support custom attributes using serializable objects. Ignore them would be much more simple, but i understood Anil's point of view.

The current query support implementation for the LDAP store is working with managed and custom attributes. If the attribute used as a query parameter is managed, a normal LDAP search will be performed. Otherwise, we'll filter the users manually. Users should be aware that when used custom attributes they loose some performance on queries.

> 
> > 
> >> 
> >> Bolek had opined about the use of LDAP entry change notifications
> >> to
> >> update the IDM cache. This is when the admin may have used some
> >> form
> >> of
> >> LDAP browser to update the entries or update happens via software
> >> not
> >> controlled by IDM.
> >> 
> > 
> > Ok, going to consider that too.
> > 
> >> Regards,
> >> Anil
> >> _______________________________________________
> >> security-dev mailing list
> >> security-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/security-dev
> >> 
> > _______________________________________________
> > security-dev mailing list
> > security-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/security-dev
> 
> 


More information about the security-dev mailing list