-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cache for LDAP certificates #36
Comments
In case caching is something that would be considered a helpful feature we'd be happy to provide the functionality for this (e.g., create a pull request). |
We have discussed this topic. Our thinking is that this should be implemented as a LRU heap cache (maybe using If you have such an implementation, your merge request would be very welcome. Otherwise, let's discuss your design. |
Your proposed approach sounds like a good idea. Just a little background on what we used so far (and why):
For caching, we decorated our LDAP client with a read-through implementation built upon caffeine. Here, we use a two-phase eviction strategy:
This code snippet might make it more clear how the cache is configured (pretty standard, nothing exotic here):
Since this is something that we used outside of SECON, this would need to be adjusted to match the call structure of the SECON library. So far though, our experience with caffeine was quite good. Thanks, and a happy new year to you! |
Currently, secon-tool supports loading certificates from LDAP servers directly. This works well for environments where highly available access to at least 1 LDAP server can be ensured. In order to improve operability in environments where LDAP availability is not guaranteed to be highly available it would be desirable to have cached certificate data available. This would allow functionality even in case of temporarily unavailable LDAP servers. As certificate data for a given organisation changes only every few years, there is relatively low risk for using outdated certificate information.
The text was updated successfully, but these errors were encountered: