[cas-dev] CredentialsToLDAPAttributePrincipalResolver andmaxNumberResults property
Scott Battaglia
scott.battaglia at gmail.com
Wed Jul 25 13:41:14 EDT 2007
The way its currently written it doesn't seem like it would be beneficial to
return more results (it fails if there are more than one). There is no hook
or anything to override the returning of the Principal.
-Scott
On 7/21/07, Velpi <velpi at industria.be> wrote:
>
> Actually, that number has been made configurable on purpose, although it
> is not very useful to do that. In case of multiple results you could:
> * merge it into one big string
> * release them to the client as multiple attributes
> * do further processing: eg return one of them according to the requestor
> ... which would all be an extension to this class.
>
> So it may be smart to leave it in as a protected attribute.
>
> --Velpi
>
> Smith, Matt wrote:
> > I would recommend 2 -- there is no reason for anything more, and there
> may be a performance hit for each extra LDAP entry, depending on the LDAP
> design (proxy-directory, meta-directory, image or certificate attributes,
> etc).
> >
> >
> > -----Original Message-----
> > From: cas-dev-bounces at tp.its.yale.edu on behalf of Scott Battaglia
> > Sent: Thu 2007-07-19 11:10
> > To: serac at vt.edu; Mailing list for CAS developers
> > Subject: Re: [cas-dev] CredentialsToLDAPAttributePrincipalResolver
> andmaxNumberResults property
> >
> > Okay, I'm going to set it to 10 (unless there is potentially some
> possible
> > performance gain by setting it to something such as 2).
> >
> > Thanks
> > -Scott
> >
> > On 7/19/07, Marvin S. Addison <serac at exchange.vt.edu> wrote:
> >> I agree that it should be an implementation detail, and not exposed on
> >> the interface. Whether it's set to 1 is another matter. This property
> >> controls the number of max number of results returned by
> LDAP. Limiting
> >> to only 1 result will cause the additional check on number of results
> >> found to always pass even if multiple principals are found:
> >>
> >> if (principalList.size() > 1) {
> >> log.error("LDAP search returned multiple results "
> >> + "for filter \"" + searchFilter + "\", "
> >> + "which is not allowed.");
> >> return null;
> >> }
> >>
> >> The choices are to set to 1 and remove this additional check, or leave
> >> at some small number, say 10, and leave this condition. I prefer the
> >> latter since it displays a descriptive message on a very specific
> >> failure condition. The former solution enforces a one-to-one mapping
> of
> >> principals even when no such condition is satisfied in LDAP.
> >>
> >> M
> >> _______________________________________________
> >> cas-dev mailing list
> >> cas-dev at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>
> >
> >
> >
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070725/9a094740/attachment.html
More information about the cas-dev
mailing list