directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: Replacing Caching with LDAP Persistent Searches
Date Tue, 19 Mar 2019 13:26:32 GMT

On 19/03/2019 13:42, Shawn McKinney wrote:
> This idea has been kicked around before, we discussed on the dev list a several months
> The biggest problem with caching is creates consistency problems between highly-available
and/or load-balanced nodes.  In today’s computing environment (everything’s running in
a container/cluster) it’s an untenable situation.
> This is a proposal to replace fortress usage of ehchache with the LDAP persistent search
> Specifically these cached datasets would be targeted:
>   a. cache name="fortress.policies”
>   b. cache name="fortress.ous”
>   c. cache name="fortress.roles”
>   d. cache name="fortress.admin.roles”
>   e. cache name="fortress.pso”
>   f. cache name="fortress.uso”
>   g. cache name="fortress.dsd”
>   h. cache name=“fortress.ssd”
> My plan, start playing in a sandbox, get an estimate of amount of work / complexity of
the change.  It may require changing how Fortress handles state, to be more inline with what
can be done using persistent search.  Of course the public APIs should not have to change
nor should the behavior with the client (hint requirement).  Let me know if you have any interest
in participation (providing requirements, design, test) in this effort.

I can give you and hand with that. The only aspect that needs to be 
checked is the fact that persistent search is not necessarily 
implemented the same way on all the LDAP servers, but AFAICT, for 
OpenLDAP and ApacheDS, it should be just fine.

And, yes, that is definitively a better solution than managing a local 
cache with all the complexity of having it consistent across various 

It should also be simple to implement, and fast enough for your needs.

View raw message