You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Maurice Betzel <m....@gaston-schul.com> on 2023/02/21 08:09:23 UTC
Karaf LDAP without blueprint
Dear community,
I am building a new custom Karaf assembly and would like to avoid installing aries blueprint just for creating an LDAP login module.
Does anybody have any experience with alternatives like declarative services or low-level activator setup willing to share the knowledge?
Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
Maurice Betzel
Principal Software Engineer
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Re: Karaf LDAP without blueprint
Posted by Paul McCulloch <pk...@gmail.com>.
This is all Karaf 4.1.1 - sorry for not mentioning this earlier.
On Tue, 21 Feb 2023 at 18:01, Paul McCulloch <pk...@gmail.com> wrote:
> Matt,
> From memory (& less than stellar comments) I believe the issue is in
> concurrent access to getCache() & clear()
>
> public static LDAPCache getCache(LDAPOptions options) {
> LDAPCache cache = CACHES.get(options);
> if (cache == null) {
> CACHES.putIfAbsent(options, new LDAPCache(options));
> cache = CACHES.get(options);
> }
> return cache;
> }
>
> If clear() is called by another thread between the putIfAbsent() and get()
> then null is returned.
>
> A second issue (and this is just from memory & Karaf code review, so I may
> be mistaken) is that the LDAP cache is cleared in
> LDAPLoginModule.initialize(), but this method is called every time a user
> authenticates - so the cache is never used.
>
> Paul
>
>
> On Tue, 21 Feb 2023 at 15:27, Matt Pavlovich <ma...@gmail.com> wrote:
>
>> Paul-
>>
>> What issues have you found with the LDAP caching module? Please share, so
>> I can open a JIRA and fix it.
>>
>> Thanks!
>> Matt Pavlovich
>>
>> On Feb 21, 2023, at 4:42 AM, Paul McCulloch <pk...@gmail.com>
>> wrote:
>>
>> I use a DS component which instantiates an
>> org.apache.karaf.jaas.config.JaasRealm and registers it
>> via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>,
>> JaasRealm, Dictionary<String, ?>).
>>
>> My DS component uses Config Admnin to configure the realm. I wrap the
>> standard Karaf LDAP module in my own caching proxy (as I found concurrency
>> issues
>> with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
>>
>> I can't share the code, but I can answer any questions you have.
>>
>> Paul
>>
>> On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m....@gaston-schul.com>
>> wrote:
>>
>>> Dear community,
>>>
>>>
>>>
>>> I am building a new custom Karaf assembly and would like to avoid
>>> installing aries blueprint just for creating an LDAP login module.
>>>
>>> Does anybody have any experience with alternatives like declarative
>>> services or low-level activator setup willing to share the knowledge?
>>>
>>>
>>>
>>> Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
>>>
>>> Maurice Betzel
>>> Principal Software Engineer
>>>
>>> Al onze verrichtingen geschieden op basis van de Algemene voorwaarden
>>> der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch
>>> Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze
>>> voorwaarden wordt op uw verzoek gratis toegezonden.
>>> All our transactions are subject to the General Conditions of the
>>> Belgian Forwarders Association which have been published under nr. 0090237
>>> in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is
>>> available free of charge upon request.
>>> Toutes nos opérations se font sur base des Conditions Générales des
>>> Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au
>>> Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous
>>> envoyé gratuitment sur demande.
>>> Email confidentiality notice:
>>> This email and any files transmitted with it are confidential and
>>> intended only for the use of the recipient. If you have received this email
>>> in error please notify its sender.
>>>
>>
>>
RE: Karaf LDAP without blueprint
Posted by Maurice Betzel <m....@gaston-schul.com>.
Update, I got it working so far.
I mixed up the ProxyLoginModule with the org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.
For those searching the same issue, look at how org.apache.karaf.jaas.modules.impl.KarafRealm is creating the AppConfigurationEntry collection.
The OSGi JAAS module goes into the options, not into the AppConfigurationEntry constructor.
From: Maurice Betzel <m....@gaston-schul.com>
Sent: donderdag 23 februari 2023 10:48
To: user@karaf.apache.org
Subject: RE: Karaf LDAP without blueprint
CAUTION: This email originated from outside of Gaston Schul. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Update,
Javax is not able to involve login on the Karaf LDAP module because it cannot find it:
javax.security.auth.login.LoginException: No LoginModule found for org.apache.karaf.jaas.modules.ldap.LDAPLoginModule
Do I have to register the Karaf JAAS modules anywhere or how can I make javax.security.auth.login find org.apache.karaf.jaas.modules.ldap.LDAPLoginModule?
From: Maurice Betzel <m....@gaston-schul.com>>
Sent: donderdag 23 februari 2023 09:59
To: user@karaf.apache.org<ma...@karaf.apache.org>
Subject: RE: Karaf LDAP without blueprint
CAUTION: This email originated from outside of Gaston Schul. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Moin,
My DS JAAS bundle is active, but I cannot perform an ssh login and no exceptions are thrown so I guessing no Karaf LDAP JAAS module configured is active.
I am creating a list of type AppConfigurationEntry and add a new one with params:
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule,
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
and the LDAP options Map from the blueprint setup.
What am I missing?
From: Matt Pavlovich <ma...@gmail.com>>
Sent: woensdag 22 februari 2023 21:03
To: user@karaf.apache.org<ma...@karaf.apache.org>
Subject: Re: Karaf LDAP without blueprint
CAUTION: This email originated from outside of Gaston Schul. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Paul-
Thanks for the input. Yep, I’m seeing the same thing. There needs to be a class-level lock that operations are synchronized on, and not rely on class-static cache and method synchronization.
I made a JIRA to track: https://issues.apache.org/jira/browse/KARAF-7671
-Matt Pavlovich
On Feb 21, 2023, at 12:01 PM, Paul McCulloch <pk...@gmail.com>> wrote:
Matt,
From memory (& less than stellar comments) I believe the issue is in concurrent access to getCache() & clear()
public static LDAPCache getCache(LDAPOptions options) {
LDAPCache cache = CACHES.get(options);
if (cache == null) {
CACHES.putIfAbsent(options, new LDAPCache(options));
cache = CACHES.get(options);
}
return cache;
}
If clear() is called by another thread between the putIfAbsent() and get() then null is returned.
A second issue (and this is just from memory & Karaf code review, so I may be mistaken) is that the LDAP cache is cleared in LDAPLoginModule.initialize(), but this method is called every time a user authenticates - so the cache is never used.
Paul
On Tue, 21 Feb 2023 at 15:27, Matt Pavlovich <ma...@gmail.com>> wrote:
Paul-
What issues have you found with the LDAP caching module? Please share, so I can open a JIRA and fix it.
Thanks!
Matt Pavlovich
On Feb 21, 2023, at 4:42 AM, Paul McCulloch <pk...@gmail.com>> wrote:
I use a DS component which instantiates an org.apache.karaf.jaas.config.JaasRealm and registers it via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>, JaasRealm, Dictionary<String, ?>).
My DS component uses Config Admnin to configure the realm. I wrap the standard Karaf LDAP module in my own caching proxy (as I found concurrency issues with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
I can't share the code, but I can answer any questions you have.
Paul
On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m....@gaston-schul.com>> wrote:
Dear community,
I am building a new custom Karaf assembly and would like to avoid installing aries blueprint just for creating an LDAP login module.
Does anybody have any experience with alternatives like declarative services or low-level activator setup willing to share the knowledge?
Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
Maurice Betzel
Principal Software Engineer
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
RE: Karaf LDAP without blueprint
Posted by Maurice Betzel <m....@gaston-schul.com>.
Update,
Javax is not able to involve login on the Karaf LDAP module because it cannot find it:
javax.security.auth.login.LoginException: No LoginModule found for org.apache.karaf.jaas.modules.ldap.LDAPLoginModule
Do I have to register the Karaf JAAS modules anywhere or how can I make javax.security.auth.login find org.apache.karaf.jaas.modules.ldap.LDAPLoginModule?
From: Maurice Betzel <m....@gaston-schul.com>
Sent: donderdag 23 februari 2023 09:59
To: user@karaf.apache.org
Subject: RE: Karaf LDAP without blueprint
CAUTION: This email originated from outside of Gaston Schul. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Moin,
My DS JAAS bundle is active, but I cannot perform an ssh login and no exceptions are thrown so I guessing no Karaf LDAP JAAS module configured is active.
I am creating a list of type AppConfigurationEntry and add a new one with params:
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule,
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
and the LDAP options Map from the blueprint setup.
What am I missing?
From: Matt Pavlovich <ma...@gmail.com>>
Sent: woensdag 22 februari 2023 21:03
To: user@karaf.apache.org<ma...@karaf.apache.org>
Subject: Re: Karaf LDAP without blueprint
CAUTION: This email originated from outside of Gaston Schul. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Paul-
Thanks for the input. Yep, I’m seeing the same thing. There needs to be a class-level lock that operations are synchronized on, and not rely on class-static cache and method synchronization.
I made a JIRA to track: https://issues.apache.org/jira/browse/KARAF-7671
-Matt Pavlovich
On Feb 21, 2023, at 12:01 PM, Paul McCulloch <pk...@gmail.com>> wrote:
Matt,
From memory (& less than stellar comments) I believe the issue is in concurrent access to getCache() & clear()
public static LDAPCache getCache(LDAPOptions options) {
LDAPCache cache = CACHES.get(options);
if (cache == null) {
CACHES.putIfAbsent(options, new LDAPCache(options));
cache = CACHES.get(options);
}
return cache;
}
If clear() is called by another thread between the putIfAbsent() and get() then null is returned.
A second issue (and this is just from memory & Karaf code review, so I may be mistaken) is that the LDAP cache is cleared in LDAPLoginModule.initialize(), but this method is called every time a user authenticates - so the cache is never used.
Paul
On Tue, 21 Feb 2023 at 15:27, Matt Pavlovich <ma...@gmail.com>> wrote:
Paul-
What issues have you found with the LDAP caching module? Please share, so I can open a JIRA and fix it.
Thanks!
Matt Pavlovich
On Feb 21, 2023, at 4:42 AM, Paul McCulloch <pk...@gmail.com>> wrote:
I use a DS component which instantiates an org.apache.karaf.jaas.config.JaasRealm and registers it via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>, JaasRealm, Dictionary<String, ?>).
My DS component uses Config Admnin to configure the realm. I wrap the standard Karaf LDAP module in my own caching proxy (as I found concurrency issues with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
I can't share the code, but I can answer any questions you have.
Paul
On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m....@gaston-schul.com>> wrote:
Dear community,
I am building a new custom Karaf assembly and would like to avoid installing aries blueprint just for creating an LDAP login module.
Does anybody have any experience with alternatives like declarative services or low-level activator setup willing to share the knowledge?
Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
Maurice Betzel
Principal Software Engineer
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
RE: Karaf LDAP without blueprint
Posted by Maurice Betzel <m....@gaston-schul.com>.
Moin,
My DS JAAS bundle is active, but I cannot perform an ssh login and no exceptions are thrown so I guessing no Karaf LDAP JAAS module configured is active.
I am creating a list of type AppConfigurationEntry and add a new one with params:
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule,
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
and the LDAP options Map from the blueprint setup.
What am I missing?
From: Matt Pavlovich <ma...@gmail.com>
Sent: woensdag 22 februari 2023 21:03
To: user@karaf.apache.org
Subject: Re: Karaf LDAP without blueprint
CAUTION: This email originated from outside of Gaston Schul. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Paul-
Thanks for the input. Yep, I’m seeing the same thing. There needs to be a class-level lock that operations are synchronized on, and not rely on class-static cache and method synchronization.
I made a JIRA to track: https://issues.apache.org/jira/browse/KARAF-7671
-Matt Pavlovich
On Feb 21, 2023, at 12:01 PM, Paul McCulloch <pk...@gmail.com>> wrote:
Matt,
From memory (& less than stellar comments) I believe the issue is in concurrent access to getCache() & clear()
public static LDAPCache getCache(LDAPOptions options) {
LDAPCache cache = CACHES.get(options);
if (cache == null) {
CACHES.putIfAbsent(options, new LDAPCache(options));
cache = CACHES.get(options);
}
return cache;
}
If clear() is called by another thread between the putIfAbsent() and get() then null is returned.
A second issue (and this is just from memory & Karaf code review, so I may be mistaken) is that the LDAP cache is cleared in LDAPLoginModule.initialize(), but this method is called every time a user authenticates - so the cache is never used.
Paul
On Tue, 21 Feb 2023 at 15:27, Matt Pavlovich <ma...@gmail.com>> wrote:
Paul-
What issues have you found with the LDAP caching module? Please share, so I can open a JIRA and fix it.
Thanks!
Matt Pavlovich
On Feb 21, 2023, at 4:42 AM, Paul McCulloch <pk...@gmail.com>> wrote:
I use a DS component which instantiates an org.apache.karaf.jaas.config.JaasRealm and registers it via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>, JaasRealm, Dictionary<String, ?>).
My DS component uses Config Admnin to configure the realm. I wrap the standard Karaf LDAP module in my own caching proxy (as I found concurrency issues with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
I can't share the code, but I can answer any questions you have.
Paul
On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m....@gaston-schul.com>> wrote:
Dear community,
I am building a new custom Karaf assembly and would like to avoid installing aries blueprint just for creating an LDAP login module.
Does anybody have any experience with alternatives like declarative services or low-level activator setup willing to share the knowledge?
Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
Maurice Betzel
Principal Software Engineer
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Re: Karaf LDAP without blueprint
Posted by Matt Pavlovich <ma...@gmail.com>.
Hi Paul-
Thanks for the input. Yep, I’m seeing the same thing. There needs to be a class-level lock that operations are synchronized on, and not rely on class-static cache and method synchronization.
I made a JIRA to track: https://issues.apache.org/jira/browse/KARAF-7671
-Matt Pavlovich
> On Feb 21, 2023, at 12:01 PM, Paul McCulloch <pk...@gmail.com> wrote:
>
> Matt,
> From memory (& less than stellar comments) I believe the issue is in concurrent access to getCache() & clear()
>
> public static LDAPCache getCache(LDAPOptions options) {
> LDAPCache cache = CACHES.get(options);
> if (cache == null) {
> CACHES.putIfAbsent(options, new LDAPCache(options));
> cache = CACHES.get(options);
> }
> return cache;
> }
>
> If clear() is called by another thread between the putIfAbsent() and get() then null is returned.
>
> A second issue (and this is just from memory & Karaf code review, so I may be mistaken) is that the LDAP cache is cleared in LDAPLoginModule.initialize(), but this method is called every time a user authenticates - so the cache is never used.
>
> Paul
>
>
> On Tue, 21 Feb 2023 at 15:27, Matt Pavlovich <mattrpav@gmail.com <ma...@gmail.com>> wrote:
>> Paul-
>>
>> What issues have you found with the LDAP caching module? Please share, so I can open a JIRA and fix it.
>>
>> Thanks!
>> Matt Pavlovich
>>
>>> On Feb 21, 2023, at 4:42 AM, Paul McCulloch <pkmcculloch@gmail.com <ma...@gmail.com>> wrote:
>>>
>>> I use a DS component which instantiates an org.apache.karaf.jaas.config.JaasRealm and registers it via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>, JaasRealm, Dictionary<String, ?>).
>>>
>>> My DS component uses Config Admnin to configure the realm. I wrap the standard Karaf LDAP module in my own caching proxy (as I found concurrency issues with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
>>>
>>> I can't share the code, but I can answer any questions you have.
>>>
>>> Paul
>>>
>>> On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m.betzel@gaston-schul.com <ma...@gaston-schul.com>> wrote:
>>>> Dear community,
>>>>
>>>>
>>>>
>>>> I am building a new custom Karaf assembly and would like to avoid installing aries blueprint just for creating an LDAP login module.
>>>>
>>>> Does anybody have any experience with alternatives like declarative services or low-level activator setup willing to share the knowledge?
>>>>
>>>>
>>>>
>>>> Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
>>>>
>>>> Maurice Betzel
>>>> Principal Software Engineer
>>>>
>>>> Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
>>>> All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
>>>> Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
>>>> Email confidentiality notice:
>>>> This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
>>>>
>>
Re: Karaf LDAP without blueprint
Posted by Paul McCulloch <pk...@gmail.com>.
Matt,
From memory (& less than stellar comments) I believe the issue is in
concurrent access to getCache() & clear()
public static LDAPCache getCache(LDAPOptions options) {
LDAPCache cache = CACHES.get(options);
if (cache == null) {
CACHES.putIfAbsent(options, new LDAPCache(options));
cache = CACHES.get(options);
}
return cache;
}
If clear() is called by another thread between the putIfAbsent() and get()
then null is returned.
A second issue (and this is just from memory & Karaf code review, so I may
be mistaken) is that the LDAP cache is cleared in
LDAPLoginModule.initialize(), but this method is called every time a user
authenticates - so the cache is never used.
Paul
On Tue, 21 Feb 2023 at 15:27, Matt Pavlovich <ma...@gmail.com> wrote:
> Paul-
>
> What issues have you found with the LDAP caching module? Please share, so
> I can open a JIRA and fix it.
>
> Thanks!
> Matt Pavlovich
>
> On Feb 21, 2023, at 4:42 AM, Paul McCulloch <pk...@gmail.com> wrote:
>
> I use a DS component which instantiates an
> org.apache.karaf.jaas.config.JaasRealm and registers it
> via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>,
> JaasRealm, Dictionary<String, ?>).
>
> My DS component uses Config Admnin to configure the realm. I wrap the
> standard Karaf LDAP module in my own caching proxy (as I found concurrency
> issues
> with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
>
> I can't share the code, but I can answer any questions you have.
>
> Paul
>
> On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m....@gaston-schul.com>
> wrote:
>
>> Dear community,
>>
>>
>>
>> I am building a new custom Karaf assembly and would like to avoid
>> installing aries blueprint just for creating an LDAP login module.
>>
>> Does anybody have any experience with alternatives like declarative
>> services or low-level activator setup willing to share the knowledge?
>>
>>
>>
>> Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
>>
>> Maurice Betzel
>> Principal Software Engineer
>>
>> Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der
>> Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch
>> Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze
>> voorwaarden wordt op uw verzoek gratis toegezonden.
>> All our transactions are subject to the General Conditions of the Belgian
>> Forwarders Association which have been published under nr. 0090237 in the
>> "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is
>> available free of charge upon request.
>> Toutes nos opérations se font sur base des Conditions Générales des
>> Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au
>> Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous
>> envoyé gratuitment sur demande.
>> Email confidentiality notice:
>> This email and any files transmitted with it are confidential and
>> intended only for the use of the recipient. If you have received this email
>> in error please notify its sender.
>>
>
>
Re: Karaf LDAP without blueprint
Posted by Matt Pavlovich <ma...@gmail.com>.
Paul-
What issues have you found with the LDAP caching module? Please share, so I can open a JIRA and fix it.
Thanks!
Matt Pavlovich
> On Feb 21, 2023, at 4:42 AM, Paul McCulloch <pk...@gmail.com> wrote:
>
> I use a DS component which instantiates an org.apache.karaf.jaas.config.JaasRealm and registers it via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>, JaasRealm, Dictionary<String, ?>).
>
> My DS component uses Config Admnin to configure the realm. I wrap the standard Karaf LDAP module in my own caching proxy (as I found concurrency issues with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
>
> I can't share the code, but I can answer any questions you have.
>
> Paul
>
> On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m.betzel@gaston-schul.com <ma...@gaston-schul.com>> wrote:
>> Dear community,
>>
>>
>>
>> I am building a new custom Karaf assembly and would like to avoid installing aries blueprint just for creating an LDAP login module.
>>
>> Does anybody have any experience with alternatives like declarative services or low-level activator setup willing to share the knowledge?
>>
>>
>>
>> Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
>>
>> Maurice Betzel
>> Principal Software Engineer
>>
>> Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
>> All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
>> Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
>> Email confidentiality notice:
>> This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
>>
RE: Karaf LDAP without blueprint
Posted by Maurice Betzel <m....@gaston-schul.com>.
Hi Paul, thanks for the input.
What I reverse engineer from blueprint and docs is that I indeed need to publish a JaasRealm on the service registry that wraps (?) the Karaf login module in some way. Props are indeed per config admin and a Designate for binding the config, which I am testing just now:
import org.apache.karaf.jaas.config.JaasRealm;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.metatype.annotations.*;
import javax.security.auth.login.AppConfigurationEntry;
import java.util.Dictionary;
import java.util.Enumeration;
@Component(name = "eu.abeel.platform.security.jaas",
service = JaasRealm.class,
configurationPolicy = ConfigurationPolicy.REQUIRE,
configurationPid = "eu.abeel.platform.security.jaas.ldap",
immediate = true)
@Designate(ocd = JaasModuleConfig.class)
public class PlatformJaasRealm implements JaasRealm {
@Activate
public void activate(ComponentContext context, JaasModuleConfig jaasModuleConfig) {
Dictionary<String, Object> properties = context.getProperties();
Enumeration<String> keys = properties.keys();
while (keys.hasMoreElements()) {
String key = keys.nextElement();
System.out.println(key + " = " + properties.get(key));
}
}
From: Paul McCulloch <pk...@gmail.com>
Sent: dinsdag 21 februari 2023 11:43
To: user@karaf.apache.org
Subject: Re: Karaf LDAP without blueprint
CAUTION: This email originated from outside of Gaston Schul. Do not click links or open attachments unless you recognize the sender and know the content is safe.
I use a DS component which instantiates an org.apache.karaf.jaas.config.JaasRealm and registers it via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>, JaasRealm, Dictionary<String, ?>).
My DS component uses Config Admnin to configure the realm. I wrap the standard Karaf LDAP module in my own caching proxy (as I found concurrency issues with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
I can't share the code, but I can answer any questions you have.
Paul
On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m....@gaston-schul.com>> wrote:
Dear community,
I am building a new custom Karaf assembly and would like to avoid installing aries blueprint just for creating an LDAP login module.
Does anybody have any experience with alternatives like declarative services or low-level activator setup willing to share the knowledge?
Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
Maurice Betzel
Principal Software Engineer
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze voorwaarden wordt op uw verzoek gratis toegezonden.
All our transactions are subject to the General Conditions of the Belgian Forwarders Association which have been published under nr. 0090237 in the "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is available free of charge upon request.
Toutes nos opérations se font sur base des Conditions Générales des Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous envoyé gratuitment sur demande.
Email confidentiality notice:
This email and any files transmitted with it are confidential and intended only for the use of the recipient. If you have received this email in error please notify its sender.
Re: Karaf LDAP without blueprint
Posted by Paul McCulloch <pk...@gmail.com>.
I use a DS component which instantiates an
org.apache.karaf.jaas.config.JaasRealm and registers it
via org.osgi.framework.BundleContext.registerService(Class<JaasRealm>,
JaasRealm, Dictionary<String, ?>).
My DS component uses Config Admnin to configure the realm. I wrap the
standard Karaf LDAP module in my own caching proxy (as I found concurrency
issues
with org.apache.karaf.jaas.modules.ldap.LDAPCache.getCache(LDAPOptions)).
I can't share the code, but I can answer any questions you have.
Paul
On Tue, 21 Feb 2023 at 08:09, Maurice Betzel <m....@gaston-schul.com>
wrote:
> Dear community,
>
>
>
> I am building a new custom Karaf assembly and would like to avoid
> installing aries blueprint just for creating an LDAP login module.
>
> Does anybody have any experience with alternatives like declarative
> services or low-level activator setup willing to share the knowledge?
>
>
>
> Met vriendelijke groet / Mit freundlichen Grüßen / Kind regards,
>
> Maurice Betzel
> Principal Software Engineer
>
> Al onze verrichtingen geschieden op basis van de Algemene voorwaarden der
> Expediteurs van België, gepubliceerd in de bijlage tot het Belgisch
> Staatsblad dd. 24 juni 2005 onder nr. 0090237. De tekst van deze
> voorwaarden wordt op uw verzoek gratis toegezonden.
> All our transactions are subject to the General Conditions of the Belgian
> Forwarders Association which have been published under nr. 0090237 in the
> "Bijlage tot het Belgisch Staatsblad" dated June 24th, 2005, and is
> available free of charge upon request.
> Toutes nos opérations se font sur base des Conditions Générales des
> Expéditeurs de Belgique. Le texte en a été publié dans l' Annexe au
> Moniteur Belge du 24 juin 2005 sous le n° 0090237. Ce texte sera vous
> envoyé gratuitment sur demande.
> Email confidentiality notice:
> This email and any files transmitted with it are confidential and intended
> only for the use of the recipient. If you have received this email in error
> please notify its sender.
>