Hello, We are using Knox 0.9 on HDP-2.5 configured to use a Shiro cache against secure ldap (over port 636). Apologies if my terms are incorrect there, basically something like:
<param> <name>main.ldapContextFactory</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> </param> <param> <name>main.ldapRealm.contextFactory</name> <value>$ldapContextFactory</value> </param> <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldaps://ldap.domain.org:636</value> </param> Recently we came across com.sun.jndi.ldap.connect.pool.protocol = A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl". default: "plain" https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html Pooling the ldap connection for "SSL" improved the performance of our Ambari server. https://issues.apache.org/jira/browse/AMBARI-22642 Do you think Knox would benefit from having this option enabled? With the Shiro cache we don't connect to source LDAP that often (2-6 calls per min) but there is some cost in establishing TLS connection. Any other thoughts on best practices / configuration regarding the connection to source LDAP? Thanks
