Why Does Retrieving Attribute Values from a Secure LDAP Slow Performance?

This week’s question gets into a very specific XACML implementation detail but it is one that I encounter often so I thought this might be a good place to raise awareness. You are probably already aware that one of the key features of an Attribute Based Access Control system (ABAC) is the ability to use many attributes to make fine-grained authorization decisions.  The XACML reference architecture makes getting these attributes easier by defining Policy Information Points (PIP’s) but what happens when the underlying datasource requires a secure LDAP connection? 

Myself and a few of our customers have learned the hard way that an out of the box Java Virtual Machine does not implement connection pooling for secure LDAP by default.  This means that a java based XACML system will need to authenticate to the underlying secure LDAP attribute source each and every time it needs to retrieve an attribute value. The overhead of this authentication will cause the overall performance of the XACML system to suffer. The good news here is that connection pooling for non-secure LDAP is enabled by default and it can be enabled for secure LDAP connections.  To do that simply add the following java system property:

com.sun.jndi.ldap.connect.pool.protocol=plain ssl

More details on all available settings can be found here:

In the above example both secure and nonsecure connections will be pooled.


When implementing an ABAC system with XACML it is important to understand all of the details of how the underlying system works.  In this case we understood how XACML uses PIP’s to retrieve attribute values but not how the underlying Java Virtual Machine implemented those connections.  

Related Articles

The one about protecting machine and human identities | Dynamically Speaking
Dynamically Speaking
With a ‘work from anywhere’ workforce culture firmly established, we know how important it is to verify the right people have the right access to...
You could build your own Authorization solution…but should you?
Dynamic Authorization
Having spoken with many customers about the challenges around authorization, one of the themes that has come up time and time again is whether an...
The one about ISO certifications | Dynamically Speaking
Dynamically Speaking
Recently, Axiomatics announced we’d achieved ISO 9001 and ISO 27001 certifications. But…what does that really mean? In this episode of Dynamically Speaking, Axiomatics COO Alexander...