[cas-dev] CredentialsToLDAPAttributePrincipalResolver andmaxNumberResults property

Velpi velpi at industria.be
Sat Jul 21 08:36:04 EDT 2007 

Actually, that number has been made configurable on purpose, although it 
is not very useful to do that. In case of multiple results you could:
* merge it into one big string
* release them to the client as multiple attributes
* do further processing: eg return one of them according to the requestor
... which would all be an extension to this class.

So it may be smart to leave it in as a protected attribute.

--Velpi

Smith, Matt wrote:
> I would recommend 2 -- there is no reason for anything more, and there may be a performance hit for each extra LDAP entry, depending on the LDAP design (proxy-directory, meta-directory, image or certificate attributes, etc).
> 
> 
> -----Original Message-----
> From: cas-dev-bounces at tp.its.yale.edu on behalf of Scott Battaglia
> Sent: Thu 2007-07-19 11:10
> To: serac at vt.edu; Mailing list for CAS developers
> Subject: Re: [cas-dev] CredentialsToLDAPAttributePrincipalResolver andmaxNumberResults property
>  
> Okay, I'm going to set it to 10 (unless there is potentially some possible
> performance gain by setting it to something such as 2).
> 
> Thanks
> -Scott
> 
> On 7/19/07, Marvin S. Addison <serac at exchange.vt.edu> wrote:
>> I agree that it should be an implementation detail, and not exposed on
>> the interface.  Whether it's set to 1 is another matter.  This property
>> controls the number of max number of results returned by LDAP.  Limiting
>> to only 1 result will cause the additional check on number of results
>> found to always pass even if multiple principals are found:
>>
>> if (principalList.size() > 1) {
>>   log.error("LDAP search returned multiple results "
>>     + "for filter \"" + searchFilter + "\", "
>>     + "which is not allowed.");
>>   return null;
>> }
>>
>> The choices are to set to 1 and remove this additional check, or leave
>> at some small number, say 10, and leave this condition.  I prefer the
>> latter since it displays a descriptive message on a very specific
>> failure condition.  The former solution enforces a one-to-one mapping of
>> principals even when no such condition is satisfied in LDAP.
>>
>> M
>> _______________________________________________
>> cas-dev mailing list
>> cas-dev at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>>
> 
> 
>

More information about the cas-dev mailing list