Great. How can we help you integrate it?
Regards, 2016-03-11 22:36 GMT+02:00 Robert Munn <[email protected]>: > Hi all. I’ve been using James for awhile and have made a couple of patches > in the code that have been put into the trunk. > > I would like to suggest that the “restriction" attribute of the LDAP users > repository be deprecated in favor of the “filter” attribute I added. O(1) > v. O(n) performance is the reason I am suggesting that the restriction > attribute be deprecated. Sorry if I am going about this wrong, I would just > hate for new James implementors to by hobbled by unnecessary performance > limitations. > > > If you look at the source code in ReadOnlyUsersLDAPRepository.java, you > can see the flaws in the restriction attribute: > > 1. It only works with LDAP groups, it provides no other way to filter > users. > 2. Algorithm for filtering by group is O(n) for n number of users in the > group. > > > > By comparison, the filter attribute takes advantage of the LDAP server’s > internal query mechanism, so it’s advantages are: > > 1. Can filter by any valid filter string supported by the LDAP server. > Group membership is supported, but so could any other restriction desired, > such as active flag, etc. > 2. Search algorithm is O(1) for filtering a user by group. > > Essentially, if you use the filter attribute to filter by group, you can > skip the iterator code associated with the restriction attribute. A filter > string by group in my implementation looks like this: > > > (objectClass=inetOrgPerson)(memberOf=cn=EmailUsers,ou=groups,DC=domain,DC=com) > > which is basically what you would put in the memberAttribute and group > attribute of restriction. Testing a valid filter string against LDAP is > easy using any standard LDAP query tool. > > > > I have attached some of the code from ReadOnlyUsersLDAPRepository.java to > illustrate what I am saying. > > > // config for restriction > > HierarchicalConfiguration restrictionConfig = null; > // Check if we have a restriction we can use > // See JAMES-1204 > if (configuration.containsKey("restriction[@memberAttribute]")) { > restrictionConfig = > configuration.configurationAt("restriction"); > } > restriction = new ReadOnlyLDAPGroupRestriction(restrictionConfig); > > //config for filter > > filter = configuration.getString("[@filter]”); > > // main LDAP query > private ReadOnlyLDAPUser searchAndBuildUser(String name) throws > NamingException { > SearchControls sc = new SearchControls(); > sc.setSearchScope(SearchControls.SUBTREE_SCOPE); > sc.setReturningAttributes(new String[] { userIdAttribute }); > sc.setCountLimit(1); > > StringBuilder builderFilter = new StringBuilder("(&("); > > builderFilter.append(userIdAttribute).append("=").append(name).append(")") > > .append("(objectClass=").append(userObjectClass).append(")"); > > if(StringUtils.isNotEmpty(filter)){ > builderFilter.append(filter).append(")"); > } > else{ > builderFilter.append(")"); > } > > NamingEnumeration<SearchResult> sr = ldapContext.search(userBase, > builderFilter.toString(), > sc); > > if (!sr.hasMore()) > return null; > > SearchResult r = sr.next(); > Attribute userName = r.getAttributes().get(userIdAttribute); > > if (!restriction.isActivated() > || userInGroupsMembershipList(r.getNameInNamespace(), > restriction.getGroupMembershipLists(ldapContext))) > return new ReadOnlyLDAPUser(userName.get().toString(), > r.getNameInNamespace(), ldapContext); > > return null; > } > > // restriction filtering algorithm > private boolean userInGroupsMembershipList(String userDN, > Map<String, Collection<String>> groupMembershipList) { > boolean result = false; > > Collection<Collection<String>> memberLists = > groupMembershipList.values(); > Iterator<Collection<String>> memberListsIterator = > memberLists.iterator(); > > while (memberListsIterator.hasNext() && !result) { > Collection<String> groupMembers = memberListsIterator.next(); > result = groupMembers.contains(userDN); > } > > return result; > } > > > > In addition, I just wanted to say thanks to everyone who has contributed > to James. It’s an awesome project made better by all of your efforts. > > Robert > > > -- Ioan Eugen Stan 0720 898 747
