Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] UW's initial look at grouper

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] UW's initial look at grouper


Chronological Thread 
  • From: Tom Zeller <>
  • To: "Michael R. Gettes" <>
  • Cc: Jim Fox <>, Grouper Dev <>
  • Subject: Re: [grouper-dev] UW's initial look at grouper
  • Date: Fri, 17 Apr 2009 12:25:32 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=ondPksx8pl4sxmZ2DaMqZ2AIdXSAw+RshL0qY5Sb2op50w3zomiPL44Xzpo33D92t5 kL0Ya+cLCfmLlkxJMCD4wdmIjeVfHvL4gfXE9zObZOGwSwKH7IuVDtR2ZFvAHtbniIiU E3syLYtcbcLpMTYkFxt2p6ci+ukmNk7Qrgc2o=

For what it's worth :

"If you use connection pooling [with TLS], you might be compromising the security of your application."

From http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html

When Not to Use Pooling

Pooled connections are intended to be reused. Therefore, if you plan to perform operations on a Context instance that might alter the underlying connection's state, then you should not use connection pooling for that Context instance. For example, if you plan to invoke the Start TLS extended operation on a Context instance, or plan to change security-related properties (such as "java.naming.security.principal" or "java.naming.security.protocol") after the initial context has been created, you should not use connection pooling for that Context instance because the LDAP provider does not track any such state changes. If you use connection pooling in such situations, you might be compromising the security of your application. 

On Fri, Apr 17, 2009 at 12:20 PM, Michael R. Gettes <> wrote:
I have always done it with SSL and it seems to work just
fine.  I admit I have not done so with TLS.

/mrg


On Apr 17, 2009, at 13:18, Jim Fox wrote:


Sun's own documentation says not to try to use connection pooling with
TLS.  Ignoring that I've tried many times to get it to work, both with
grouper and with a shib 1.3 IdP.  All without success.  The VT library
works just fine right out of the box.

Jim


On Fri, 2009-04-17 at 06:53 -0700, Michael R. Gettes wrote:
I thought the issue of the JNDI adapter was resolved some time
ago to allow for connection pooling?  This involved the setting
of an environment variable in the grouper code enabling the pooling
built into the sun code.  I also believe the sun jndi does support
ssl and connection pooling for ssl.  What leads you to believe it
doesn't?  What am i missing?

/mrg

On Apr 16, 2009, at 17:05, Jim Fox wrote:

(this is my initial look, not RLBob's)

We are looking at Grouper as a possibly registry for our groups
service,
presently supported by an LDAP directory and a RESTful webservice.
We're
testing and planning, not yet installing.  These are some random
issues
we've encountered.  Not complaining, just thought I'd let you know.

1) Jndi source adapter

The jndi classes from Sun do not support ldap connections using ssl or
tls very well.  They do not support connection pooling, thereby
causing
a lot of connection overhead.  We wrote a source adapter using the
ldap
library from virginia tech - the one used by shibboleth.  It works
quite
a bit more efficiently.







Archive powered by MHonArc 2.6.16.

Top of Page