Yoav S Yoav S - 17 days ago 6
Java Question

LDAP connections pooling with kerberos authentication

The problem I am trying to solve is that when connecting with

LDAP
using kerberos, we request a new
TGT
and session key every time. This puts unnecessary load on the the
KDC
and on the network.

We want to either use a
LDAP
connection pool BUT WITH CUSTOM authentication or somehow just reuse the
TGT
.

Please assist.

Thank you

Answer

There are several approaches to this:

  1. If you don't intend to pool connections, use LoginContext to obtain a Subject with your TGT, hold that TGT in memory for as long as it is valid and wrap it with a acquire/release implementation. As soon as you have your Subject wrap the new InitialDirContext() call in a PriviledgedAction with Subject#doAs().
  2. Using a pool (this is what I do in Spring): Adapt the Commons Pool 2 solution implemented by Spring LDAP. Though, Spring's ContextSource does not support SASL GSSAPI mechanism. Luckily, you can use my library for that.

Either way, I using both approaches. The first approach works in a custom authenticator/realm and is blazingly fast here. I wonder why your implemention is so slow -- whatever slow means to you.

Comments