From: Dominique Petitpierre < >
To: casgeneric-users@esup-portail.org
Cc: 'Frederic Jacquot' >
Subject: Re: RE : [casgeneric-users] Secure LDAP
Date: Thu, 24 Mar 2005 11:23:18 +0100
Organization: University of Geneva

Hello,

On 24.03.2005 01:56, Pascal Aubry wrote:

> The GH should normally handle LDAPS connections, but it has never been
> tested by us (we use an LDAP connection over a private VLAN).

We have configured CAS Generic Handler to use LDAP over SSL and it
works. See the genericHandler.xml example in annexe. We customized the
certificate location in LdapServer.java:

-----
 protected final DirContext connect(final String bindDn,
                                    final String bindPassword) {
  DirContext connection = null;
  traceBegin();

  System.setProperty("javax.net.ssl.trustStore",
                     "/usr/local/tomcat/webapps/cas/WEB-INF/keystore.jks");
  System.setProperty("javax.net.ssl.trustStorePassword",
                     "secretpasswd");
-----

But I take advantage of this thread to restate a question sent a few month ago:

---
Has anybody configured connection pooling in an LDAP authentication
handler for CAS?
(cf. http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html ;)

Does it make sense in the CAS server/tomcat context?

I am considering pooling in order to alleviate the load induced by
establishing SSL connections to the LDAP server when authentifying.

For example, the way it is implemented in BindLdapHandler of
the ESUP CAS Generic Handler causes two connections to the LDAP server
for each authentification. If SSL (ldaps) is used, it can be very heavy
on both the CAS server and the LDAP server! It would be better
to be able to reuse an established SSL connection.

If you have such code that you are willing to share, let me know.
Thanks in advance for your answers!
---

The issue is not LDAPS specific: just establishing a TCP connection
twice per authentification could also be a burden in case of peak
loads; but SSL makes it an order of magnitude heavier: it would be
better to have a permanent connection, re-established when something
causes it to drop.  JNDI LDAP connection pooling whould do that.


Best regards,
Dominique
--
Mr Dominique Petitpierre       Email: 
User@Domain
Division Informatique                 User=Dominique.Petitpierre
University of Geneva                  Domain=adm.unige.ch

<?xml version="1.0"?>
<!-- 
     This is the default configuration for the CAS Generic Handler.
     It should be used for test purposes only.

Ref:
http://esup-casgeneric.sourceforge.net/auth-ldap.html

--> 
<authentication debug="on">
  <handler>
    <classname>org.esupportail.cas.server.handlers.ldap.BindLdapHandler</classname>
    <config>
      <search_base>ou=people,dc=university,dc=edu</search_base>
      <filter>uid=%u</filter>
      <scope>one</scope>
      <server>
        <url>ldaps://ldapserver.university.edu</url>
      </server>
      <disable_multiple_accounts/>
    </config>
  </handler>
</authentication>