[Satosa-dev] further work on the LDAP attribute store

Scott Koranda skoranda at gmail.com
Thu Sep 28 20:43:20 CEST 2017


I just created 3 pull requests in the new microservices repository that
add functionality to the LDAP attribute store:

1) Ignore an SP if so configured so that no attempt to lookup attributes
in the LDAP will be attempted. This is useful in particular when a
COmanage SP is behind the proxy and you want to just pass through the
attributes asserted by the IdP (or perhaps manage them with other
microservices first but not look up the user in LDAP).

2) The refactoring of how attributes asserted by the IdP are processed
to find the "primary identifier" that is then used to lookup the user in
LDAP. This is a breaking change in configuration syntax that I mentioned

3) The ability to redirect to a configured URL if no record is returned
from LDAP. This is useful if the user has not enrolled in a VO and you
want to forward to an enrollment page or the like.

Also, a "heads up" that I am beginning another enhancement. 

I did the "easy thing" first with LDAP, so the code right now opens a
connection, binds, does the search(es), then unbinds for each trip
through the proxy. Doing so is not, of course, optimal from the
performance perspective.

So I am evolving the code so that connection pools will be set up, one
for each LDAP server, when the proxy starts up and during a trip through
the proxy an existing connection should be used. In my early testing
this decreased the amount of time spent at the proxy by a factor of 5,
but of course the network "distance" between the proxy and LDAP affects
that and I am testing with the proxy local and the LDAP server not
local, so I do not expect such a large gain in production, but it should
be noticeably faster for the user.

If you have any questions or concerns about the LDAP attribute store
please let me know.


Scott K

More information about the Satosa-dev mailing list