To close the loop. Also posted question to shiro-user list. No response... but findings added there.
http://mail-archives.apache.org/mod_mbox/shiro-user/201801.mbox/% 3CCABYmcBhzv6ju8b%3D47AgfyPeP%3DEKhhCfrzhCqUggKY_%3Db-7zswg% 40mail.gmail.com%3E > From: Quiroga, David F. > Sent: Thursday, December 14, 2017 7:34 AM > To: [email protected] > Subject: RE: LDAP Connection Performance > > > > Hello, > > > > We are using Knox 0.9 on HDP-2.5 configured to use a Shiro cache against secure ldap (over port 636). > > Apologies if my terms are incorrect there, basically something like: > > > > <param> > > <name>main.ldapContextFactory</name> > > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextF actory</value> > > </param> > > <param> > > <name>main.ldapRealm.contextFactory</name> > > <value>$ldapContextFactory</value> > > </param> > > <param> > > <name>main.ldapRealm.contextFactory.url</name> > > <value>ldaps://ldap.domain.org:636</value> > > </param> > > > > Recently we came across > > com.sun.jndi.ldap.connect.pool.protocol = A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl". > default: "plain" > > https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html > > > > Pooling the ldap connection for “SSL” improved the performance of our Ambari server. > > https://issues.apache.org/jira/browse/AMBARI-22642 > > > > > > Do you think Knox would benefit from having this option enabled? > > With the Shiro cache we don’t connect to source LDAP that often (2-6 calls per min) but there is some cost in establishing TLS connection. > > > > Any other thoughts on best practices / configuration regarding the connection to source LDAP? > > > > Thanks > > > > > >
