You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Julian Reschke (Jira)" <ji...@apache.org> on 2020/05/08 09:00:00 UTC

[jira] [Comment Edited] (OAK-8890) LDAP login may fail if a server or intermediate silently drops connections

    [ https://issues.apache.org/jira/browse/OAK-8890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17100775#comment-17100775 ] 

Julian Reschke edited comment on OAK-8890 at 5/8/20, 8:59 AM:
--------------------------------------------------------------

trunk: [r1877503|http://svn.apache.org/r1877503] [r1877435|http://svn.apache.org/r1877435]


was (Author: baedke):
Done: http://svn.apache.org/viewvc?view=revision&revision=1877435

> LDAP login may fail if a server or intermediate silently drops connections
> --------------------------------------------------------------------------
>
>                 Key: OAK-8890
>                 URL: https://issues.apache.org/jira/browse/OAK-8890
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-ldap
>            Reporter: Manfred Baedke
>            Assignee: Manfred Baedke
>            Priority: Major
>             Fix For: 1.28.0
>
>         Attachments: OAK-8890.patch
>
>
> This has been seen on production systems with Oak 1.10.2, where a firewall was configured to drop idle connections after a timeout without sending an RST (for security reasons). When this happens, the connection pool used by the LdapPrincipalProvider will still consider these connections healthy. Eventually such a connection will be used for an actual LDAP BIND/SEARCH, which will simply timeout.
> The connection pool is an instance of org.apache.commons.pool.impl.GenericObjectPool, which has configuration options to deal with the scenario (namely running an eviction task which will properly close idle connections after a timeout which is shorter than the timeout interval used by the firewall) .
> The creation of the connection pool used is hard coded and most of the configuration options are not available. 
> I propose to change that. I'll supply a patch soon.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)