You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Hisham Farahat <hi...@gmail.com> on 2008/10/29 07:56:39 UTC

Tomcat 6.0 problems with LDAP ( connection gets blocked for 10 min)

Dear All,
I have stated this problem before, but maybe it was not clear. I will state
it now hopefully more clearly.

I have a tomcat server 6.0 running on a Windows server 2003, it needs to
authenticate users using JNDI realm which connects to an LDAP server (
Active directory running on a different machine).
The realm configuration in server.xml is as the following:
==============================================================
- <#11d47474394ad0f4_> <Host name="*localhost*" appBase="*webapps*"unpackWARs
="*true*" autoDeploy="*true*" xmlValidation="*false*" xmlNamespaceAware="*
false*">
   <Realm className="*org.apache.catalina.realm.JNDIRealm*"
debug="*99*"connectionURL
="*ldap://name.com:389/*" connectionName="*CN=tomcat,CN=Users,DC=name,DC=com
*" connectionPassword="**************"
alternateURL="*ldap://ip:389/*"userSubtree
="*true*" referrals="*follow*" userSearch="*(| (mailNickname={0})
(givenName={0}) )*" userBase="*DC=name,DC=com*" roleBase="*
CN=Users,DC=name,DC=com*" roleName="*description*"
roleSearch="*member={0}*"roleSubtree
="*true*" allRolesMode="*AuthOnly*" />
 </Host>
==============================================================

The problem is when i try to login with my AD account, Sometimes ( around
40% of the times) i get a login error and it continues with this state for
10 minutes ( no user can login in this period ). Even the manager and admin
accounts that are used to login the manager webapp are not allowed to login.
How can i solve this problem? it is so annoying :(

Some points:
1- The log of the error is :
==================
Oct 29, 2008 8:30:12 AM org.apache.catalina.core.ApplicationDispatcher
doForward
FINE:  Disabling the response for futher output
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException [Root exception is
javax.naming.CommunicationException: name.com:389 [Root exception is
java.net.ConnectException: Connection refused: connect]]
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown
Source)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown
Source)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
    at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097)
    at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:992)
    at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:941)
    at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810)
    at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
    at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
    at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.CommunicationException: name.com:389 [Root exception
is java.net.ConnectException: Connection refused: connect]
    at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source)
    at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown
Source)
    at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown
Source)
    ... 20 more
Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.PlainSocketImpl.doConnect(Unknown Source)
    at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at java.net.Socket.<init>(Unknown Source)
    at java.net.Socket.<init>(Unknown Source)
    at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
    at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
    at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
    at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
    at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
    at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown
Source)
    at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
    at javax.naming.spi.NamingManager.processURL(Unknown Source)
    at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
    at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
    ... 23 more
Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm close
FINE: Closing directory context
Oct 29, 2008 8:30:15 AM org.apache.catalina.core.ApplicationDispatcher
doForward
FINE:  Disabling the response for futher output

==================

2- Rebooting the machine wil solve the problem
3- Restarting Tomcat won't affect any thing
4- I can connect to the LDAP server using Soferra LDAP Administration during
the 10 blocking minutes
5- The system admin checked the log of the AD and nothing there.
6- I have tried to put the realm configuration under the context.xml, and
the same thing happens.
7- most probably when i leave the session to expire ( 5 min) and try to
login again afterwords it gets blocked.

Please help me in this issue, i need it working correctly ASAP.

P.S Thanks for every one who helped and will help me in this issue.
Regards,
-- 
Hisham Farahat

Re: Tomcat 6.0 problems with LDAP ( connection gets blocked for 10 min)

Posted by Rainer Jung <ra...@kippdata.de>.

Hisham Farahat schrieb:
> Dear All,
> I have stated this problem before, but maybe it was not clear. I will state
> it now hopefully more clearly.
> 
> I have a tomcat server 6.0 running on a Windows server 2003, it needs to
> authenticate users using JNDI realm which connects to an LDAP server (
> Active directory running on a different machine).
> The realm configuration in server.xml is as the following:
> ==============================================================
> - <#11d47474394ad0f4_> <Host name="*localhost*" appBase="*webapps*"unpackWARs
> ="*true*" autoDeploy="*true*" xmlValidation="*false*" xmlNamespaceAware="*
> false*">
>    <Realm className="*org.apache.catalina.realm.JNDIRealm*"
> debug="*99*"connectionURL
> ="*ldap://name.com:389/*" connectionName="*CN=tomcat,CN=Users,DC=name,DC=com
> *" connectionPassword="**************"
> alternateURL="*ldap://ip:389/*"userSubtree
> ="*true*" referrals="*follow*" userSearch="*(| (mailNickname={0})
> (givenName={0}) )*" userBase="*DC=name,DC=com*" roleBase="*
> CN=Users,DC=name,DC=com*" roleName="*description*"
> roleSearch="*member={0}*"roleSubtree
> ="*true*" allRolesMode="*AuthOnly*" />
>  </Host>
> ==============================================================
> 
> The problem is when i try to login with my AD account, Sometimes ( around
> 40% of the times) i get a login error and it continues with this state for
> 10 minutes ( no user can login in this period ). Even the manager and admin
> accounts that are used to login the manager webapp are not allowed to login.
> How can i solve this problem? it is so annoying :(
> 
> Some points:
> 1- The log of the error is :
> ==================
> Oct 29, 2008 8:30:12 AM org.apache.catalina.core.ApplicationDispatcher
> doForward
> FINE:  Disabling the response for futher output
> Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm authenticate
> SEVERE: Exception performing authentication
> javax.naming.PartialResultException [Root exception is
> javax.naming.CommunicationException: name.com:389 [Root exception is
> java.net.ConnectException: Connection refused: connect]]
>     at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
>     at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown
> Source)
>     at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
>     at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown
> Source)
>     at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
>     at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
>     at
> org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097)

I have some Realm improvements related to Active Directory in the
working queue, likely to be worked on at ApacheCon next week. Those
changes are also related to handling PartialResultExceptions. If no one
else responds and has a solution or workaround for you, bug me again
next week.

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org