You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Manfred Baedke (Jira)" <ji...@apache.org> on 2020/02/05 17:59:00 UTC

[jira] [Commented] (OAK-8890) LDAP login may fail if a server or intermediate silently drops connections

    [ https://issues.apache.org/jira/browse/OAK-8890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17030881#comment-17030881 ] 

Manfred Baedke commented on OAK-8890:
-------------------------------------

It wouldn't be a good idea to expose every available config option (see https://commons.apache.org/proper/commons-pool/api-2.8.0/index.html), since these are implementation details of apache.commons.pool2. Currently exactly one of these options is configurable, namely the pool size. To fix the issue at hand, we'd need a background job evicting idle connections after a configurable timeout interval. The default implementation (https://commons.apache.org/proper/commons-pool/api-2.8.0/org/apache/commons/pool2/impl/DefaultEvictionPolicy.html) has such an option, which is disabled by default. I'd go for the simplest solution and offer two additional config option allowing to set the time between two eviction runs and the minimum idle time after which a connection shall be evicted. A patch will follow tomorrow.

> LDAP login may fail if a server or intermediate silently drops connections
> --------------------------------------------------------------------------
>
>                 Key: OAK-8890
>                 URL: https://issues.apache.org/jira/browse/OAK-8890
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-ldap
>            Reporter: Manfred Baedke
>            Assignee: Manfred Baedke
>            Priority: Major
>
> This has been seen on production systems with Oak 1.10.2, where a firewall was configured to drop idle connections after a timeout without sending an RST (for security reasons). When this happens, the connection pool used by the LdapPrincipalProvider will still consider these connections healthy. Eventually such a connection will be used for an actual LDAP BIND/SEARCH, which will simply timeout.
> The connection pool is an instance of org.apache.commons.pool.impl.GenericObjectPool, which has configuration options to deal with the scenario (namely running an eviction task which will properly close idle connections after a timeout which is shorter than the timeout interval used by the firewall) .
> The creation of the connection pool used is hard coded and most of the configuration options are not available. 
> I propose to change that. I'll supply a patch soon.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)