> On Jan 6, 2016, at 8:52 AM, Emmanuel Lécharny <[email protected]> wrote: > > Le 06/01/16 15:00, Jan Sindberg a écrit : >> If there is no connection to the LDAP, then it is no longer possible to >> create an AccessMgrFactory. >> >> First we get: >> org.apache.directory.fortress.core.CfgRuntimeException: static init: Error >> loading from cfg file: [fortress.properties] >> SecurityException=org.apache.directory.fortress.core.FinderException: >> getConfig dn [cn=DEFAULT,ou=Config,dc=example,dc=com] caught >> LdapException=INVALID_CREDENTIALS: Bind failed: ERR_316 Directory service is >> not started., errCode=127 >> >> On subsequent calls we get: >> java.lang.NoClassDefFoundError: Could not initialize class >> org.apache.directory.fortress.core.AccessMgrFactory >> >> Is there a way to handle this and make the Fortress core api reconnect later? > > Complicated... > > Fortress is storing all the Authz information in a remote server, and if > it's not reachable, then you won't be able to make any decision. > > AFAIR, we had internal discussion about setting up a local cache within > the API to allow Fortress to keep going even if the remote LDAP server > is down. I'm not sure it's in Fortress atm, and I'm not sure we decided > anything about such an addition... > > Shawn ?
I think it would be a lot of work to satisfy a corner case. But you might wonder why instantiating a manager component is hitting the remote server in the first place. The reason is fortress stores much of its parameters on the remote server itself in a configuration node. For explanation check out this writeup: https://github.com/apache/directory-fortress-core/blob/master/README-CONFIG.md The runtime is in the process of pulling back that config info when it gets the connection error and gives up. There might be a case where we want to delay hitting that server, or maybe allow it to retry later, i.e. at regular intervals. Not as complicated as caching the information, but tricky. It would require rewiring how the configuration subsystem and ldap pooling mechanisms work. Worth considering, but we need to be careful here, no guarantees against overcomplicating or creating new problems. Shawn
