Performance Comparison
We developed a simple load test framework to compare the performance of the existing CAS LDAP authentication components to those in this project based on ldaptive. In particular the existing BindLdapAuthenticationHandler was compared with LdapAuthenticationHandler in an equivalent search/bind configuration. The exact configuration of components can be found in the Spring contexts in the load test framework source.
Tests results were generated using the following command line:
bin/loadtest.sh 50000 200 ~/Private/cas-users-dev.csv /spring-ldap-context.xml
bin/loadtest.sh 50000 200 ~/Private/cas-users-dev.csv /ldaptive-context.xml
for Spring LDAP and ldaptive, respectively.
This performs 50K samples using 200 threads for both sets of tests. For simplicity a sample is composed of an LDAP search for a DN followed by a bind on the resolved DN. The pool configuration and timeouts, which can have a considerable impact on performance, are provided below. The timeouts for the spring-ldap configuration were determined by trial and error by increasing the timeouts until connection timeouts and pool wait timeouts approached zero.
The results show a dramatic improvement in thoughput: ldaptive is over 100 times faster than existing components. While the pooling semantics of ldaptive have been optimized to minimize the scope of locking, that alone does not explain the dramatic difference. It's likely that the pooling of both search and bind operations accounts for most of the increase since it avoids the SSL/TLS negotiation costs incurred by BindLdapAuthenticationHandler on every authentication. (BindLdapAuthenticationHandler pools searches but not binds due to limitations in Spring LDAP pool capabilities.)
ldap.url=ldaps://ed-dev.middleware.vt.edu:10636
ldap.query=authId=%u
ldap.baseDn=ou=People,dc=vt,dc=edu
# Connection timeout in ms
ldap.connectTimeout=8000
ldap.pool.minIdle=3
ldap.pool.maxIdle=3
ldap.pool.maxSize=10
ldap.pool.maxWait=8000
ldap.pool.testOnBorrow=false
ldap.pool.testWhileIdle=true
# Attempt to evict idle connections every N seconds
ldap.pool.evictionPeriod=600000
# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=1200000
ldap.url=ldap://ed-dev.middleware.vt.edu:10389
ldap.useStartTLS=true
ldap.baseDn=ou=People,dc=vt,dc=edu
ldap.query=authId={user}
# Connection timeout in ms
ldap.connectTimeout=8000
# Amount of time in milliseconds to block on pool exhausted condition
# before giving up.
ldap.pool.blockWaitTime=8000
ldap.pool.minSize=2
ldap.pool.maxSize=5
ldap.pool.validateOnCheckout=false
ldap.pool.validatePeriodically=true
# Frequency of connection validation in seconds
# Only occurs when pool is idle (no active connections)
ldap.pool.validatePeriod=60
# Attempt to prune connections every N seconds
ldap.pool.prunePeriod=600
# Maximum amount of time an idle connection is allowed to be in
# pool before it is liable to be removed/destroyed
ldap.pool.idleTime=1200