On Wed, Sep 17, 2014 at 5:26 PM, Sebastian Oerding < [email protected]> wrote:
> Hello Kiran, > > thanks for your great reply even outlining the code for an interceptor. > Actually I haven't really started digging into implementing an interceptor > but I will do so after writing this mail. However currently there are two > points left open for me. > > 1) Reading the outlined code to the line > q.add(new MyCustomCertRequest(.....)); > (did the negation / notEmpty were exchanged?) I do not understand how > responding to a client is delayed until the certificate is available in the > fallback case (or do I have to insert it into the cursor). > > nah, that pseudo code is describing a scenario where when a cert is not found then server will not wait till you fetch the cert from a 3rd party server and store > 2) Due to my requirements the certificates (only X.509 certificates with > X.509 extension SubjectKeyIdentifier) are requested by the > subjectKeyIdentifier. Furthermore the revocation state for certificates may > be set by LDAP requests and certificates may be stored in the LDAP. Except > this requests no other requests are valid. Hence if I write an interceptor > and have a chain of this component, I end up with a chain of Apache DS are you referring to having multiple instances of ApacheDS? I don't see how having a custom interceptor leads to multiple ApacheDS instances, can you elaborate on what your idea is? > instances. Each instance in this chain will for example do the same > verification on the request and so on. Hence I would expect this approach > leading to a huge performance overhead (notice the worst case szenario of > over 2.400.000 requests each 900 seconds). Furthermore there are other > considerations which may prevent using an interceptor. Hence I wonder how > much it would took me to write a minimal / pseudo LDAP server which only is > capable of the two specified request types and nothing else. However having > read RFC 4510, 4511 and having taken a look into related RFCs I do not want > to implement even "only" an own pseudo server from scratch by myself. Thus > the question remained whether there is some stuff I can take from the > Apache DS / related projects to simply listen for incoming requests, do my > simple parsing and depending on the request, forward it to the LDAP server, > return the response if there is any and one is expected or fallback to the > 3rd party system if no certificate is found on the LDAP server. In the > latter case I want to take the response from the 3rd party system, store it > on the server and transmit the response to the client as LDAP PDUs > according to the request. > > your custom interceptor can perform fetching from 3rd party store if needed and store and return to user this will definitely have an impact on performance cause of the network and I/O overhead. this is one reason I suggested you use asynch approach, but when a cert is not present in the LDAP server then user will not receive it in the first request but in a subsequent request, provided the interceptor's asynch thread fetches the cert from 3rd party and stores in LDAP server. Can you provide any information about this issue? > > Sebastian > -- Kiran Ayyagari http://keydap.com
