We have a use case where we need to have a custom status attribute for user identities. We also have created a custom authentication interceptor that will check the status attribute on bind, depending on the status we will throw a LdapAuthenticationException and report the status in the message. Our SSO solution is then using this during the authentication process. This is all working as needed. The issue we run into is related to the caching policies within ApacheDS. The first time a user identity attempts to login into our SSO application the bind event is triggered and the status is checked, after that the result of the bind is cached, the next time the user logs in the bind event is not triggered, because of this if the users status is changed after they have logged in then that new status is not reported until the cache clears. After reviewing the ApacheDS code I see there is some logic within ApacheDS to remove the user object from cache when the users password is changed, is there a way to also do this for a custom attribute like we have for status either through configuration or through custom code? If we have to we will set the expectation with our customers that any changes to status could take up to x amount of time to take effect but I would prefer to have these changes be real time if possible. Also what is the caching time for authentication and does it use sliding expiration? Thank you in advance.
Thanks, Justin Isenhour | Lead Developer, Systems and Technology Group | Compass Group USA | 2400 Yorkmont Road | Charlotte, NC 28217 | 704.328.5804 | justin.isenh...@compass-usa.com<mailto:justin.isenh...@compass-usa.com> [stg_logo]
