[jira] [Commented] (AMQ-6148) When use LDAP auth, Activemq should not always connect to ldap service to do authentication

Wed, 03 Feb 2016 14:40:17 -0800 

    [ 
https://issues.apache.org/jira/browse/AMQ-6148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15131284#comment-15131284
 ] 

JIE CHEN commented on AMQ-6148:
-------------------------------

Hi Timothy,
I am talking about AUTHENTICATION, not authorization. The cached LDAP 
Authorization Map does NOT help at all. 
In our case, we have hundreds of application servers, and we use pooled 
connection factory with max connection number of 5. The ActiveMQ server has to 
create more than a thousand connections to LDAP service when it is trying to 
establish the huge number of connections from application servers. That does 
not make sense and ldap server could deny access due to the huge number of 
connections to it. Think about if we have 5 ActiveMQ servers, each server has 
to create 1000 connections to LDAP server. sooner or later, the ldap server 
will be exhausted.

This is an real ISSUE when we are trying to adopt ActiveMQ for big application 
clusters.

Thanks

> When use LDAP auth, Activemq should not always connect to ldap service to do 
> authentication
> -------------------------------------------------------------------------------------------
>
>                 Key: AMQ-6148
>                 URL: https://issues.apache.org/jira/browse/AMQ-6148
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.11.1
>            Reporter: JIE CHEN
>            Priority: Critical
>
> I am using LDAP service to do authentication for ActiveMQ, and I found 
> everytime ActiveMQ servers try to establish a connection between ActiveMQ 
> client, the ActiveMQ server will create a connection to LDAP server to do 
> authentication. That's is not good, think about there are thousands of 
> ActiveMQ clients are trying to connect to ActiveMQ servers, the ActiveMQ 
> servers will need to create thousands of connections to LDAP servers. And 
> moreover it is not reliable as well because the connection between LDAP 
> servers and ActiveMQ servers could be broken sometimes. We need something 
> similar as Cached LDAP Authorization Module. It is more reasonable that the 
> ActiveMQ will cache the ldap account credential in local memory and refresh 
> in certain interval.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to