Hello Kiran,
thanks for your great reply even outlining the code for an interceptor.
Actually I haven't really started digging into implementing an
interceptor but I will do so after writing this mail. However currently
there are two points left open for me.
1) Reading the outlined code to the line
q.add(new MyCustomCertRequest(.....));
(did the negation / notEmpty were exchanged?) I do not understand how
responding to a client is delayed until the certificate is available in
the fallback case (or do I have to insert it into the cursor).
2) Due to my requirements the certificates (only X.509 certificates with
X.509 extension SubjectKeyIdentifier) are requested by the
subjectKeyIdentifier. Furthermore the revocation state for certificates
may be set by LDAP requests and certificates may be stored in the LDAP.
Except this requests no other requests are valid. Hence if I write an
interceptor and have a chain of this component, I end up with a chain of
Apache DS instances. Each instance in this chain will for example do the
same verification on the request and so on. Hence I would expect this
approach leading to a huge performance overhead (notice the worst case
szenario of over 2.400.000 requests each 900 seconds). Furthermore there
are other considerations which may prevent using an interceptor. Hence I
wonder how much it would took me to write a minimal / pseudo LDAP server
which only is capable of the two specified request types and nothing
else. However having read RFC 4510, 4511 and having taken a look into
related RFCs I do not want to implement even "only" an own pseudo server
from scratch by myself. Thus the question remained whether there is
some stuff I can take from the Apache DS / related projects to simply
listen for incoming requests, do my simple parsing and depending on the
request, forward it to the LDAP server, return the response if there is
any and one is expected or fallback to the 3rd party system if no
certificate is found on the LDAP server. In the latter case I want to
take the response from the 3rd party system, store it on the server and
transmit the response to the client as LDAP PDUs according to the request.
Can you provide any information about this issue?
Sebastian
