3 Replies Latest reply on Sep 28, 2011 1:33 PM by claudio4j

LDAP Cache

claudio4j Sep 13, 2011 9:28 AM

Hi, EPP 5.1.0 is used to authenticate users in an MS Active Directory, so far so good.

However, if the user data (last name, group member) is modified in MSAD, this modification cannot be seen in MSAD.

When the user logoff/login, the authentication data is retrieved from the cache.

I waited for 42 minutes, the data always is retrieved from the cache.

Is there a way to configure the cache to timeout in 3 minutes ?

09:15:38,004 FINER [JBossCacheAPICacheProviderImpl] org.picketlink.idm.impl.cache.JBossCacheAPICacheProviderImpl@3c8e5bUser found in cache: id=claudio;namespace=idm_realm_portal
09:15:38,004 FINER [JBossCacheAPICacheProviderImpl] org.picketlink.idm.impl.cache.JBossCacheAPICacheProviderImpl@3c8e5bAttributes search found in cache: attributes.size()=3; id=claudio;namespace=idm_realm_portal
09:15:38,004 FINER [JBossCacheAPICacheProviderImpl] org.picketlink.idm.impl.cache.JBossCacheAPICacheProviderImpl@3c8e5bUser found in cache: id=claudio;namespace=idm_realm_portal
09:15:38,004 FINER [LDAPIdentityStoreImpl] Method 'findIdentityObject' called with arguments: name; claudio; IdentityObjectType; SimpleIdentityObjectType{name='USER'}; 
09:15:38,004 FINER [LDAPIdentityStoreImpl] Prepared LDAP Search ; contexts: [DC=testevm,DC=teste,DC=com]; filter: (&(sAMAccountName={0})(objectClass=user)); filter args: [claudio]; returning attributes: [sAMAccountName]; searchScope: subtree
09:15:38,004 FINER [JBossCacheIdentityStoreCacheProviderImpl] org.picketlink.idm.impl.cache.JBossCacheIdentityStoreCacheProviderImpl@b2601Object found in cache: hash-173531055;namespace=PortalLDAPStore
09:15:38,004 FINER [LDAPIdentityStoreImpl] LDAP search results found in cache. size=1

1. Re: LDAP Cache

claudio4j Sep 13, 2011 11:30 AM (in response to claudio4j)

Found the solution.

Disable the cache configuration in your picket-link configuration.

So, disabling the cache will make portal communicate to MSAD everytime it needs user/group information, checks.

Mine is:


<realm>
  <id>idm_realm</id>
  <repository-id-ref>PortalRepository</repository-id-ref>
  <identity-type-mappings>
    <user-mapping>USER</user-mapping>
  </identity-type-mappings>
  <options>
    <option>
      <name>template</name>
      <value>true</value>
    </option>
<!--        
    <option>
      <name>cache.providerRegistryName</name>
      <value>apiCacheProvider</value>
    </option>
-->


<options>
  <option>
    <name>providerURL</name>
    <value>ldap://vmw2k3.testevm.teste.com:389</value>
  </option>
....
  <!-- 
  <option>
    <name>cache.providerRegistryName</name>
    <value>storeCacheProvider</value>
  </option>
  -->
</options>
</identity-store>

2. Re: LDAP Cache

mposolda Sep 14, 2011 2:34 PM (in response to claudio4j)

Hi Claudio,

it's caused by the https://issues.jboss.org/browse/JBEPP-893 (or https://issues.jboss.org/browse/GTNPORTAL-1866 at GateIn). As you can see in Jira, you can update from EPP 5.1.0 to EPP 5.1.1 or 5.2.0 and it should fix your problem.

Marek
Actions
3. Re: LDAP Cache

claudio4j Sep 28, 2011 1:33 PM (in response to mposolda)

Hi Marek, I configured EPP 5.1.1 to authenticate in MSAD (using the same picketlink-msad-testevm-config.xml as of EPP 5.1.0).

Started EPP, logged in as root, went to user management view. Went to MSAD changed the emails of an user, waited 120s (as defined in jboss-cache.xml), but the change is not displayed in EPP user management view.

Have restarted EPP 5.1.1 and now the changes are correctly displayed in EPP user management view. So I need to disable the LDAP cache.

Can you test it ? I am using MS Active Directory as LDAP.
Actions

Go to original post