You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Martin Knoblauch <kn...@knobisoft.de> on 2017/01/09 14:01:53 UTC
Re: Spurious "Internal Server Errors" accessing "jkmanager" after
upgrading Apache, "mod_jk" and OpenSSL
Hi everyone,
just in case the "final" solution is of interest: the problem was as usual
in the configuration. We did not set the following directive for the LDAP
connection pool:
LDAPConnectionPoolTTL #seconds
If the directive is missing, a value of "-1" is implied, meaning "keep
connections open for ever". The LDAP server on the other side sets an "idle
connection timeout" of 600 seconds. As a result a lookup would fail if it
happened 600+ seconds after the first usage of the connection. 600 seconds
is exactly the lifetime of the LDAP cache. Given the time of the year,
usage of the test/integ/devel environment is minimal and there were no
"new" lookups during the cache lifetime, leading to the repeated failures...
Setting
LDAPConnectionPoolTTL 60
solved the problem for good.
Happy New Year !!!
Martin
On Fri, Dec 30, 2016 at 12:33 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> On 12/29/16 3:47 AM, Martin Knoblauch wrote:
> > that is an interesting pointer. We are of course securing the
> > "jkmanager" app. And guess what we are using: LDAP. The funky thing
> > is that it is working most of the time. It fails just after some
> > time. Refreshing the URL cures it again - for some time. What did
> > you do to fix your problem?
>
> I'm glad to see you are on your way to solving your problem.
>
> In my case, it was an expired TLS certificate being used for the
> OpenLDAP process or something similar, so it wasn't anything to do
> with httpd itself. I've also been experimenting with a fall-back for
> LDAP that maybe wouldn't be 100% up-to-date with the LDAP database,
> but at least it wouldn't cause 500 errors.
>
> Good luck,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYZZ1PAAoJEBzwKT+lPKRYThcP/RT/zeHoLhgsUvjhteXT2crZ
> mqSnIzvDKTfTuktDROxZhL+BnSo4dirt0HcHz8yQ6c+hAlS6d2JtGGtpPiNPeigX
> 4+0H9H6Nq9pCwK586wPqUusPs4bh1cbXBquAsdv3mG1w/cge+mgnYI6h7DSVBOgD
> ir84T+7dnEZ25ygiN1e8Hp7DLyxWD/oRd594LIcTRtGisD0hRGGOc5xujmHxdhtQ
> 0X8lQIlViL67Mo13hrFJQh7DO461MYxXElP+Ui39bq/i2rxSxrU4Xz/PjYb8LUhK
> rRxNR7E8b59u+HxtiGMzM6wuRHBPsw4i575DGnSbTWPEjzER5ekLnV2FGdJA7rm5
> u1qENAbq9YuJ5I7NPFxSIC4iVtAI8vYEs86vG/JOtyGwMpy3L1uTpX0oYpEB+6nh
> vUvl3l9S6aBqrYpHI/fG/SH3Y9jZ746d6GjyeLnEGIdjVFTxjbtFFlZH+EiQLMPx
> IIr7zloPAQ+pNl5LjHoBsTjoTHtx6vnIYYFMfsl+vLAuFfHqJPqNh0qUuHoj4Esm
> Rnl5cywGGqLSWiTCSwCdAtt2U8CyA4g6L9slYGp2USkAzBFEI1OFSDuy5A+fol+y
> owkMlAkoMFxg8IM0c0VJofzUz/5IYiVLLRyth5ZfoxH3YK0WKZ8wQ5489bMQbQrt
> QcVRNw4hG9IEkOaWrRhB
> =W4NN
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
Re: Spurious "Internal Server Errors" accessing "jkmanager" after
upgrading Apache, "mod_jk" and OpenSSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 1/9/17 9:01 AM, Martin Knoblauch wrote:
> Hi everyone,
>
> just in case the "final" solution is of interest: the problem was
> as usual in the configuration. We did not set the following
> directive for the LDAP connection pool:
>
> LDAPConnectionPoolTTL #seconds
>
> If the directive is missing, a value of "-1" is implied, meaning
> "keep connections open for ever". The LDAP server on the other side
> sets an "idle connection timeout" of 600 seconds. As a result a
> lookup would fail if it happened 600+ seconds after the first usage
> of the connection. 600 seconds is exactly the lifetime of the LDAP
> cache. Given the time of the year, usage of the test/integ/devel
> environment is minimal and there were no "new" lookups during the
> cache lifetime, leading to the repeated failures...
>
> Setting
>
> LDAPConnectionPoolTTL 60
>
>
> solved the problem for good.
>
> Happy New Year !!!
Thanks for coming-back and explaining the problem. Looks like I was
right about LDAP. It seems like mod_auth_ldap should be a little more
chatty when problems like that happen. :(
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYdTtkAAoJEBzwKT+lPKRYfV0P+QFGQO5dMSHuiyhwmOLH9i12
2LPnzrYRmqaFNekYiXoHfP1pEU2OCcGArUXz33jyaa3b+QijKljBzH6UZ8fiPDWU
zqM9CaidqGk5ot/qmpUMtH4xHIyaL+VG4cvqxGR235cdz8x/iWazloduMWw0ZWzP
mHXZMp7LXEMwgYG3/dGSrHTXeRsjtOyH3wtck8L5qsNg8PV2GyVi/iC9fP9ZwXRM
5/9MMVHr0LvttXDKyUA5ekRKZLHkZRucx4e6kBn79TR3CLdjYbJVH7ruCsZVRnDz
cwU6dKQ5ehk3F27KZrG+RcKVXO9PudU6Wm4JySAh+d+FtfaWZda/wQAFIvqcgweP
CawPgkp6E1tsDGQ4ju3gw/S95WMSHZhD3ga6NLto5Q56wGVM71bEXiNrBeK7MMQ9
HZRMzd5A6WkUOc7u7BqQYPM1BjIRcVVm1tgNBZjT8OqKR2+cH6LwqfLnotQbWpLM
TO/h3LAF8KKnO4n/eGmM7azicObjQLIzvSog97ivK55m51euWfFKQs7goBFq8Ef7
y49O8toXesfRhHjUkXM6ltm3xBY19qXR2AWUzpAaLxYiZMETml0sUylTLEMUVwLT
YuEU1VO+7dyiXfHBB829sWhC3I97cBc6UCoXg00TzQqrIvFsYy0/Ok5YQ2CCG6Qy
THm9D9TDqX3dZ/Lc+AJe
=rVs7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org