[cas-dev] CredentialsToLDAPAttributePrincipalResolver andmaxNumberResults property

[Smith, Matt]

I would recommend 2 -- there is no reason for anything more, and there may be a performance hit for each extra LDAP entry, depending on the LDAP design (proxy-directory, meta-directory, image or certificate attributes, etc).


-----Original Message-----
From: cas-dev-bounces at tp.its.yale.edu on behalf of Scott Battaglia
Sent: Thu 2007-07-19 11:10
To: serac at vt.edu; Mailing list for CAS developers
Subject: Re: [cas-dev] CredentialsToLDAPAttributePrincipalResolver andmaxNumberResults property
 
Okay, I'm going to set it to 10 (unless there is potentially some possible
performance gain by setting it to something such as 2).

Thanks
-Scott

On 7/19/07, Marvin S. Addison <serac at exchange.vt.edu> wrote:
>
> I agree that it should be an implementation detail, and not exposed on
> the interface.  Whether it's set to 1 is another matter.  This property
> controls the number of max number of results returned by LDAP.  Limiting
> to only 1 result will cause the additional check on number of results
> found to always pass even if multiple principals are found:
>
> if (principalList.size() > 1) {
>   log.error("LDAP search returned multiple results "
>     + "for filter \"" + searchFilter + "\", "
>     + "which is not allowed.");
>   return null;
> }
>
> The choices are to set to 1 and remove this additional check, or leave
> at some small number, say 10, and leave this condition.  I prefer the
> latter since it displays a descriptive message on a very specific
> failure condition.  The former solution enforces a one-to-one mapping of
> principals even when no such condition is satisfied in LDAP.
>
> M
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia