Using the User LDAP Lock

The purpose of the User LDAP lock is to prevent two or more applications / programs / threads from updating the same user in parallel.

The implementation has drastically changed in V8.10. In order to minimize locking times and to relieve custom code from lock handling, the following major changes have been made:

  • Components, namely custom clients and Java Scripts do not have to set and release the lock explicitly. Instead, it is done within the SvcUser method ‘storePrepared’ and only when it is necessary. Locking is considered necessary, if a privilege assignment is created, changed, or deleted or if a permission parameter attribute of the user is changed.

  • User resolution is not performed anymore in the client applications (such as Web Center, REST and SOAP Services, consistency rules, etc), but in an extra component, the new resolution adapter running in the Java server IdS-J.

  • Clients, including Java Scripts, should always use the method checkAndSave(true) for storing their changes to a user. This method checks the changes for their relevance to access rights, lock the user and send a resolution event if an access-right relevant change has been detected.

To support upgrade, the old methods in class SvcSession (such as createLdapLock) are kept and do not perform any changes. They are marked deprecated, so please take care to adapt your custom clients to not use them anymore. They likely might be dropped in a subsequent version.

Your client code still must consider that the method checkAndSave – or storePrepared, if you use it – might fail because it is not able to acquire the lock for changing the user. This will be indicated by the result code 15 (SVC_ENTRY_LOCKED) in the returned SvcSummary object.