Json2Ldap soon with bind DN quotas

Json2Ldap iconSince its first release Json2Ldap has allowed administrators to control LDAP connection count by specifying a certain limit per client IP address. To do this one has to set the json2ldap. clients. connectionQuotaPerIP configuration parameter. Once the connection limit for a particular IP is reached, no further LDAP connections are allowed from this address until an existing one is closed or expires.

This measure works well for anonymous LDAP connections. The new 1.2 release of Json2Ldap will include an additional quota mechanism which enables administrators to set LDAP connection quotas per bound DN. This slightly more advanced feature, already coded and tested out, is more suitable in cases where Json2Ldap users make mostly authenticated connections to the back-end directories (with a user DN and password).

The bind DN connection quota is set by the configuration parameter json2ldap. clients. connectionQuotaPerBindDN in the WEB-INF/web.xml file.

Here is an example illustrating how the bind DN quotas work.

First, we specify some bind DN quota value in the Json2Ldap config file, e.g. five:

...
<context-param>
                <param-name>json2ldap.clients.connectionQuotaPerBindDN</param-name>
                <param-value>5</param-value>
        </context-param>
</pre>
...

Don’t forget to restart the web container in order for the new config to take effect!

Then we establish a new LDAP connection with ldap.connect and make a JSON-RPC ldap.bind request to authenticate the current LDAP connection (represented by the CID value) as originating from the user with the specified distinct name (DN) and password.

{ "method" : "ldap.bind",
  "params" : { "DN" : "uid=u001,ou=People,dc=example,dc=com",
               "password" : "secret",
               "CID" : "5288ff60f64a6a29b19e530cc4ff823f" },
  "id" : 1,
  "jsonrpc" : "2.0" }

If the bind request succeeds a JSON-RPC response indicating success is sent back to the client. The null result value here simply indicates that we have a void type RPC method.

{ "result" : null,
  "id" : 1,
  "jsonrpc" : "2.0" }

If, however, the connection limit for the above bind DN is reached, that is, there are already 5 active LDAP connections authenticated as the DN uid=u001,ou=People,dc=example,dc=com, then an -1204 JSON-RPC error will be returned:

{ "error" : { "code" : -1204,
              "message" : "Exhausted connection quota for this bind DN" },
  "id" : 1,
  "jsonrpc" : "2.0" }

The current connection will also be closed.

The bind requests for this DN will keep returning an -1204 error until one of those connections changes its bind DN (i.e. re-binds as a different or anonymous user), closes or expires.

Note that internally the bind DN quota is checked only after the user credentials are verified. This is to prevent attempts to guess whether somebody is logged onto the directory by making a false bind request with some random password.