You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by ba...@apache.org on 2020/05/06 12:53:48 UTC
svn commit: r1877435 - in /jackrabbit/oak/trunk: oak-auth-ldap/
oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
oak-doc/sr...
Author: baedke
Date: Wed May 6 12:53:48 2020
New Revision: 1877435
URL: http://svn.apache.org/viewvc?rev=1877435&view=rev
Log:
OAK-8890: LDAP login may fail if a server or intermediate silently drops connections
Added config options to use the pools' idle object eviction tasks.
Modified:
jackrabbit/oak/trunk/oak-auth-ldap/pom.xml
jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
Modified: jackrabbit/oak/trunk/oak-auth-ldap/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/pom.xml?rev=1877435&r1=1877434&r2=1877435&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/pom.xml Wed May 6 12:53:48 2020
@@ -36,7 +36,7 @@
<!-- enable execution of jacoco and set minimal line coverage -->
<skip.coverage>false</skip.coverage>
<minimum.line.coverage>0.86</minimum.line.coverage>
- <minimum.branch.coverage>0.75</minimum.branch.coverage>
+ <minimum.branch.coverage>0.74</minimum.branch.coverage>
</properties>
<build>
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1877435&r1=1877434&r2=1877435&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Wed May 6 12:53:48 2020
@@ -540,6 +540,9 @@ public class LdapIdentityProvider implem
adminPool.setTestOnBorrow(true);
adminPool.setMaxTotal(config.getAdminPoolConfig().getMaxActive());
adminPool.setBlockWhenExhausted(true);
+ adminPool.setMinEvictableIdleTimeMillis(config.getAdminPoolConfig().getMinEvictableIdleTimeMillis());
+ adminPool.setTimeBetweenEvictionRunsMillis(config.getAdminPoolConfig().getTimeBetweenEvictionRunsMillis());
+ adminPool.setNumTestsPerEvictionRun(config.getAdminPoolConfig().getNumTestsPerEvictionRun());
}
// setup unbound connection pool. let's create a new version of the config
@@ -556,6 +559,9 @@ public class LdapIdentityProvider implem
userPool.setTestOnBorrow(true);
userPool.setMaxTotal(config.getUserPoolConfig().getMaxActive());
userPool.setBlockWhenExhausted(true);
+ userPool.setMinEvictableIdleTimeMillis(config.getUserPoolConfig().getMinEvictableIdleTimeMillis());
+ userPool.setTimeBetweenEvictionRunsMillis(config.getUserPoolConfig().getTimeBetweenEvictionRunsMillis());
+ userPool.setNumTestsPerEvictionRun(config.getUserPoolConfig().getNumTestsPerEvictionRun());
}
log.info("LdapIdentityProvider initialized: {}", config);
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java?rev=1877435&r1=1877434&r2=1877435&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java Wed May 6 12:53:48 2020
@@ -205,6 +205,51 @@ public class LdapProviderConfig {
public static final String PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE = "adminPool.lookupOnValidate";
/**
+ * @see PoolConfig#getMinEvictableIdleTimeMillis()
+ */
+ public static final String PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT = "-1";
+
+ /**
+ * @see PoolConfig#getMinEvictableIdleTimeMillis()
+ */
+ @Property(
+ label = "Admin pool min evictable idle time",
+ description = "The minimum amount of time a connection from the admin pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone.",
+ value = PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT
+ )
+ public static final String PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME = "adminPool.minEvictableIdleTime";
+
+ /**
+ * @see PoolConfig#getTimeBetweenEvictionRunsMillis()
+ */
+ public static final String PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT = "-1";
+
+ /**
+ * @see PoolConfig#getTimeBetweenEvictionRunsMillis()
+ */
+ @Property(
+ label = "Time interval to sleep between evictor runs for the admin pool",
+ description = "Time interval to sleep between runs of the idle object evictor thread for the admin pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run.",
+ value = PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT
+ )
+ public static final String PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS = "adminPool.timeBetweenEvictionRuns";
+
+ /**
+ * @see PoolConfig#getNumTestsPerEvictionRun()
+ */
+ public static final int PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT = 3;
+
+ /**
+ * @see PoolConfig#getNumTestsPerEvictionRun()
+ */
+ @Property(
+ label = "Max number of objects to be tested per run of the idle object evictor for the admin pool",
+ description = "The max number of objects to examine during each run of the idle object evictor thread for the admin pool (if any)",
+ intValue = PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT
+ )
+ public static final String PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN = "adminPool.numTestsPerEvictionRun";
+
+ /**
* @see PoolConfig#getMaxActive()
*/
public static final int PARAM_USER_POOL_MAX_ACTIVE_DEFAULT = 8;
@@ -235,6 +280,51 @@ public class LdapProviderConfig {
public static final String PARAM_USER_POOL_LOOKUP_ON_VALIDATE = "userPool.lookupOnValidate";
/**
+ * @see PoolConfig#getMinEvictableIdleTimeMillis()
+ */
+ public static final String PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT = "-1";
+
+ /**
+ * @see PoolConfig#getMinEvictableIdleTimeMillis()
+ */
+ @Property(
+ label = "User pool min evictable idle time",
+ description = "The minimum amount of time a connection from the user pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone.",
+ value = PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT
+ )
+ public static final String PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME = "userPool.minEvictableIdleTime";
+
+ /**
+ * @see PoolConfig#getTimeBetweenEvictionRunsMillis()
+ */
+ public static final String PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT = "-1";
+
+ /**
+ * @see PoolConfig#getTimeBetweenEvictionRunsMillis()
+ */
+ @Property(
+ label = "Time interval to sleep between evictor runs for the user pool",
+ description = "Time interval to sleep between runs of the idle object evictor thread for the user pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run.",
+ value = PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT
+ )
+ public static final String PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS = "userPool.timeBetweenEvictionRuns";
+
+ /**
+ * @see PoolConfig#getNumTestsPerEvictionRun()
+ */
+ public static final int PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT = 3;
+
+ /**
+ * @see PoolConfig#getNumTestsPerEvictionRun()
+ */
+ @Property(
+ label = "Max number of objects to be tested per run of the idle object evictor for the user pool",
+ description = "The max number of objects to examine during each run of the idle object evictor thread for the user pool (if any)",
+ intValue = PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT
+ )
+ public static final String PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN = "userPool.numTestsPerEvictionRun";
+
+ /**
* @see Identity#getBaseDN()
*/
public static final String PARAM_USER_BASE_DN_DEFAULT = "ou=people,o=example,dc=com";
@@ -619,14 +709,17 @@ public class LdapProviderConfig {
}
/**
- * Defines the configuration of a connection pool. Currently we only define the max size.
+ * Defines the configuration of a connection pool. Currently we do not support all
+ * available configuration options of the pool implementation.
* (documentation copied from {@link org.apache.commons.pool2.impl.GenericObjectPool})
*/
public static class PoolConfig {
private int maxActiveSize;
-
private boolean lookupOnValidate;
+ private long minEvictableIdleTimeMillis;
+ private long timeBetweenEvictionRunsMillis;
+ private int numTestsPerEvictionRun;
/**
* Returns the maximum number of objects that can be allocated by the pool
@@ -678,11 +771,93 @@ public class LdapProviderConfig {
return this;
}
+ /**
+ * Returns the minimum amount of time a connection may sit idle in the pool
+ * before it is eligible for eviction by the idle object evictor
+ * (if running). When non-positive, no connections will be evicted from the pool due to idle time alone.
+ *
+ * @return minimum amount of time a connection may sit idle in the pool before it is eligible for eviction.
+ */
+ public long getMinEvictableIdleTimeMillis() { return minEvictableIdleTimeMillis; }
+
+ /**
+ * Sets the minimum amount of time a connection may sit idle in the pool
+ * before it is eligible for eviction by the idle object evictor
+ * (if any).
+ * When non-positive, no connections will be evicted from the pool
+ * due to idle time alone.
+ *
+ * @param minEvictableIdleTimeMillis minimum amount of time a connection may sit idle in the pool before
+ * it is eligible for eviction.
+ * @return this
+ */
+ public PoolConfig setMinEvictableIdleTimeMillis(long minEvictableIdleTimeMillis) {
+ this.minEvictableIdleTimeMillis = minEvictableIdleTimeMillis;
+ return this;
+ }
+
+ /**
+ * Returns the number of milliseconds to sleep between runs of the
+ * idle object evictor thread.
+ * When non-positive, no idle object evictor thread will be
+ * run.
+ *
+ * @return number of milliseconds to sleep between evictor runs.
+ */
+ public long getTimeBetweenEvictionRunsMillis() { return timeBetweenEvictionRunsMillis; }
+
+ /**
+ * Sets the number of milliseconds to sleep between runs of the
+ * idle object evictor thread.
+ * When non-positive, no idle object evictor thread will be
+ * run.
+ *
+ * @param timeBetweenEvictionRunsMillis number of milliseconds to sleep between evictor runs.
+ * @return this
+ */
+ public PoolConfig setTimeBetweenEvictionRunsMillis(long timeBetweenEvictionRunsMillis) {
+ this.timeBetweenEvictionRunsMillis = timeBetweenEvictionRunsMillis;
+ return this;
+ }
+
+ /**
+ * Returns the max number of objects to examine during each run of the
+ * idle object evictor thread (if any).
+ *
+ * @return max number of objects to examine during each evictor run.
+ * @see #setNumTestsPerEvictionRun
+ * @see #setTimeBetweenEvictionRunsMillis
+ */
+ public int getNumTestsPerEvictionRun() { return numTestsPerEvictionRun; }
+
+ /**
+ * Sets the max number of objects to examine during each run of the
+ * idle object evictor thread (if any).
+ * <p>
+ * When a negative value is supplied, <tt>ceil(number of idle objects)/abs({@link #getNumTestsPerEvictionRun})</tt>
+ * tests will be run. That is, when the value is <i>-n</i>, roughly one <i>n</i>th of the
+ * idle objects will be tested per run. When the value is positive, the number of tests
+ * actually performed in each run will be the minimum of this value and the number of instances
+ * idle in the pool.
+ *
+ * @param numTestsPerEvictionRun max number of objects to examine during each evictor run.
+ * @see #getNumTestsPerEvictionRun
+ * @see #setTimeBetweenEvictionRunsMillis
+ * @return this
+ */
+ public PoolConfig setNumTestsPerEvictionRun(int numTestsPerEvictionRun) {
+ this.numTestsPerEvictionRun = numTestsPerEvictionRun;
+ return this;
+ }
+
@Override
public String toString() {
final StringBuilder sb = new StringBuilder("PoolConfig{");
sb.append("maxActiveSize=").append(maxActiveSize);
sb.append(", lookupOnValidate=").append(lookupOnValidate);
+ sb.append(", minEvictableIdleTimeMillis=").append(minEvictableIdleTimeMillis);
+ sb.append(", timeBetweenEvictionRunsMillis=").append(timeBetweenEvictionRunsMillis);
+ sb.append(", numTestsPerEvictionRun=").append(numTestsPerEvictionRun);
sb.append('}');
return sb.toString();
}
@@ -726,13 +901,31 @@ public class LdapProviderConfig {
.setObjectClasses(params.getConfigValue(PARAM_GROUP_OBJECTCLASS, PARAM_GROUP_OBJECTCLASS_DEFAULT))
.setMakeDnPath(params.getConfigValue(PARAM_GROUP_MAKE_DN_PATH, PARAM_GROUP_MAKE_DN_PATH_DEFAULT));
+ ConfigurationParameters.Milliseconds msMeitAdmin = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME, PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT));
+ ConfigurationParameters.Milliseconds msTberAdmin = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS, PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT));
cfg.getAdminPoolConfig()
.setLookupOnValidate(params.getConfigValue(PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE, PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE_DEFAULT))
- .setMaxActive(params.getConfigValue(PARAM_ADMIN_POOL_MAX_ACTIVE, PARAM_ADMIN_POOL_MAX_ACTIVE_DEFAULT));
+ .setMaxActive(params.getConfigValue(PARAM_ADMIN_POOL_MAX_ACTIVE, PARAM_ADMIN_POOL_MAX_ACTIVE_DEFAULT))
+ .setNumTestsPerEvictionRun(params.getConfigValue(PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN, PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT));
+ if (msMeitAdmin != null) {
+ cfg.getAdminPoolConfig().setMinEvictableIdleTimeMillis(msMeitAdmin.value);
+ }
+ if (msTberAdmin != null) {
+ cfg.getAdminPoolConfig().setTimeBetweenEvictionRunsMillis(msTberAdmin.value);
+ }
+ ConfigurationParameters.Milliseconds msMeitUser = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME, PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME_DEFAULT));
+ ConfigurationParameters.Milliseconds msTberUser = ConfigurationParameters.Milliseconds.of(params.getConfigValue(PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS, PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS_DEFAULT));
cfg.getUserPoolConfig()
.setLookupOnValidate(params.getConfigValue(PARAM_USER_POOL_LOOKUP_ON_VALIDATE, PARAM_USER_POOL_LOOKUP_ON_VALIDATE_DEFAULT))
- .setMaxActive(params.getConfigValue(PARAM_USER_POOL_MAX_ACTIVE, PARAM_USER_POOL_MAX_ACTIVE_DEFAULT));
+ .setMaxActive(params.getConfigValue(PARAM_USER_POOL_MAX_ACTIVE, PARAM_USER_POOL_MAX_ACTIVE_DEFAULT))
+ .setNumTestsPerEvictionRun(params.getConfigValue(PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN, PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT));
+ if (msMeitUser != null) {
+ cfg.getUserPoolConfig().setMinEvictableIdleTimeMillis(msMeitUser.value);
+ }
+ if (msTberUser != null) {
+ cfg.getUserPoolConfig().setTimeBetweenEvictionRunsMillis(msTberUser.value);
+ }
return cfg;
}
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java?rev=1877435&r1=1877434&r2=1877435&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java Wed May 6 12:53:48 2020
@@ -66,9 +66,19 @@ public class LdapProviderConfigTest {
boolean testAdminPoolLookupOnValidate = !LdapProviderConfig.PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE_DEFAULT;
int testAdminPoolMaxActive = LdapProviderConfig.PARAM_ADMIN_POOL_MAX_ACTIVE_DEFAULT + 1;
+ String testAdminPoolMinEvictableIdleTime = "2d 2h 2m 2s 2ms";
+ long testAdminPoolMinEvictableIdleTimeMs = 2 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24))));
+ String testAdminPoolTimeBetweenEvictionRuns = "3d 3h 3m 3s 3ms";
+ long testAdminPoolTimeBetweenEvictionRunsMs = 3 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24))));
+ int testAdminPoolNumTestsPerEvictionRun = LdapProviderConfig.PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT + 1;
boolean testUserPoolLookupOnValidate = !LdapProviderConfig.PARAM_USER_POOL_LOOKUP_ON_VALIDATE_DEFAULT;
int testUserPoolMaxActive = LdapProviderConfig.PARAM_USER_POOL_MAX_ACTIVE_DEFAULT + 2;
+ String testUserPoolMinEvictableIdleTime = "4d 4h 4m 4s 4ms";
+ long testUserPoolMinEvictableIdleTimeMs = 4 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24))));
+ String testUserPoolTimeBetweenEvictionRuns = "5d 5h 5m 5s 5ms";
+ long testUserPoolTimeBetweenEvictionRunsMs = 5 * (1 + 1000 * (1 + 60 * (1 + 60 * (1 + 24))));
+ int testUserPoolNumTestsPerEvictionRun = LdapProviderConfig.PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN_DEFAULT + 2;
String testUserBaseDn = "ou=people,dc=org";
String[] testUserObjectClass = new String[] {"inetOrgPerson"};
@@ -97,9 +107,15 @@ public class LdapProviderConfigTest {
params.put(LdapProviderConfig.PARAM_ADMIN_POOL_LOOKUP_ON_VALIDATE, testAdminPoolLookupOnValidate);
params.put(LdapProviderConfig.PARAM_ADMIN_POOL_MAX_ACTIVE, testAdminPoolMaxActive);
+ params.put(LdapProviderConfig.PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME, testAdminPoolMinEvictableIdleTime);
+ params.put(LdapProviderConfig.PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS, testAdminPoolTimeBetweenEvictionRuns);
+ params.put(LdapProviderConfig.PARAM_ADMIN_POOL_NUM_TESTS_PER_EVICTION_RUN, testAdminPoolNumTestsPerEvictionRun);
params.put(LdapProviderConfig.PARAM_USER_POOL_LOOKUP_ON_VALIDATE, testUserPoolLookupOnValidate);
params.put(LdapProviderConfig.PARAM_USER_POOL_MAX_ACTIVE, testUserPoolMaxActive);
+ params.put(LdapProviderConfig.PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME, testUserPoolMinEvictableIdleTime);
+ params.put(LdapProviderConfig.PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS, testUserPoolTimeBetweenEvictionRuns);
+ params.put(LdapProviderConfig.PARAM_USER_POOL_NUM_TESTS_PER_EVICTION_RUN, testUserPoolNumTestsPerEvictionRun);
params.put(LdapProviderConfig.PARAM_USER_BASE_DN, testUserBaseDn);
params.put(LdapProviderConfig.PARAM_USER_OBJECTCLASS, testUserObjectClass);
@@ -130,10 +146,16 @@ public class LdapProviderConfigTest {
LdapProviderConfig.PoolConfig adminPoolConfig = config.getAdminPoolConfig();
assertEquals(testAdminPoolLookupOnValidate, adminPoolConfig.lookupOnValidate());
assertEquals(testAdminPoolMaxActive, adminPoolConfig.getMaxActive());
+ assertEquals(testAdminPoolMinEvictableIdleTimeMs, adminPoolConfig.getMinEvictableIdleTimeMillis());
+ assertEquals(testAdminPoolTimeBetweenEvictionRunsMs, adminPoolConfig.getTimeBetweenEvictionRunsMillis());
+ assertEquals(testAdminPoolNumTestsPerEvictionRun, adminPoolConfig.getNumTestsPerEvictionRun());
LdapProviderConfig.PoolConfig userPoolConfig = config.getUserPoolConfig();
assertEquals(testUserPoolLookupOnValidate, userPoolConfig.lookupOnValidate());
assertEquals(testUserPoolMaxActive, userPoolConfig.getMaxActive());
+ assertEquals(testUserPoolMinEvictableIdleTimeMs, userPoolConfig.getMinEvictableIdleTimeMillis());
+ assertEquals(testUserPoolTimeBetweenEvictionRunsMs, userPoolConfig.getTimeBetweenEvictionRunsMillis());
+ assertEquals(testUserPoolNumTestsPerEvictionRun, userPoolConfig.getNumTestsPerEvictionRun());
LdapProviderConfig.Identity userConfig = config.getUserConfig();
assertEquals(testUserBaseDn, userConfig.getBaseDN());
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md?rev=1877435&r1=1877434&r2=1877435&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md Wed May 6 12:53:48 2020
@@ -74,34 +74,40 @@ Oak repository:
The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]
which is populated either via OSGi or during manual [Repository Construction](../../construct.html).
-| Name | Property | Description |
-|-------------------------------|-------------------------|------------------------------------------|
-| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
-| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
-| Bind Password | `bind.password` | Password of the user for authentication. |
-| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
-| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
-| LDAP Server Port | `host.port` | Port of the LDAP server |
-| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
-| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
-| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
-| Admin pool max active | `adminPool.maxActive` | The max active size of the admin connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. |
-| Admin pool lookup on validate | `adminPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the admin pool. |
-| User pool max active | `userPool.maxActive` | The max active size of the user connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. |
-| User pool lookup on validate | `userPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the user pool. |
-| User base DN | `user.baseDN` | The base DN for user searches. |
-| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
-| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
-| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
-| Group base DN | `group.baseDN` | The base DN for group searches. |
-| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
-| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
-| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
-| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
-| Use user id for external ids | `useUidForExtId` | If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. |
-| Custom Attributes | `customattributes` | Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. |
+| Name | Property | Description |
+|------------------------------------|-------------------------------------------|------------------------------------------|
+| LDAP Provider Name | `provider.name` | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
+| Bind DN | `bind.dn` | DN of the user for authentication. Leave empty for anonymous bind. |
+| Bind Password | `bind.password` | Password of the user for authentication. |
+| LDAP Server Hostname | `host.name` | Hostname of the LDAP server |
+| Disable certificate checking | `host.noCertCheck` | Indicates if server certificate validation should be disabled. |
+| LDAP Server Port | `host.port` | Port of the LDAP server |
+| Use SSL | `host.ssl` | Indicates if an SSL (LDAPs) connection should be used. |
+| Use TLS | `host.tls` | Indicates if TLS should be started on connections. |
+| Search Timeout | `searchTimeout` | Time in until a search times out (eg: '1s' or '1m 30s'). |
+| Admin pool max active | `adminPool.maxActive` | The max active size of the admin connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. |
+| Admin pool lookup on validate | `adminPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the admin pool. |
+| Admin pool min evictable idle time | `adminPool.minEvictableIdleTime` | The minimum amount of time a connection from the admin pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone. |
+| Admin pool eviction run interval | `adminPool.timeBetweenEvictionRuns` | Time interval to sleep between runs of the idle object evictor thread for the admin pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run. |
+| Admin pool tests per eviction run | `adminPool.numTestsPerEvictionRun` | The maximum number of objects to be examined during a single eviction run of the admin pool. |
+| User pool max active | `userPool.maxActive` | The max active size of the user connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. |
+| User pool lookup on validate | `userPool.lookupOnValidate` | Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the user pool. |
+| User pool min evictable idle time | `userPool.minEvictableIdleTime` | The minimum amount of time a connection from the user pool must be idle before becoming eligible for eviction by the idle object evictor, if running (eg: '1m 30s'). When non-positive, no connections will be evicted from the pool due to idle time alone. |
+| User pool eviction run interval | `userPool.timeBetweenEvictionRuns` | Time interval to sleep between runs of the idle object evictor thread for the user pool (eg: '1m 30s'). When non-positive, no idle object evictor thread will be run. |
+| User pool tests per eviction run | `userPool.numTestsPerEvictionRun` | The maximum number of objects to be examined during a single eviction run of the user pool. |
+| User base DN | `user.baseDN` | The base DN for user searches. |
+| User extra filter | `user.extraFilter` | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
+| User id attribute | `user.idAttribute` | Name of the attribute that contains the user id. |
+| User DN paths | `user.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| User object classes | `user.objectclass` | The list of object classes an user entry must contain. |
+| Group base DN | `group.baseDN` | The base DN for group searches. |
+| Group extra filter | `group.extraFilter` | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
+| Group DN paths | `group.makeDnPath` | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| Group member attribute | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
+| Group name attribute | `group.nameAttribute` | Name of the attribute that contains the group name. |
+| Group object classes | `group.objectclass` | The list of object classes a group entry must contain. |
+| Use user id for external ids | `useUidForExtId` | If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. |
+| Custom Attributes | `customattributes` | Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. |
| | | |
#### SyncHandler and External Login Module