Too many LDAP connections with 6.0.5
122 views
Skip to first unread message
n99
Oct 31, 2019, 10:12:04 AM10/31/19
to CAS Community
Hi
We are seeing issues with CAS 6.0.5 running against our OPEN Ldap where we are seeing too many connections being made to LDAP.
. We have the following settings.
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].poolPassivator=NONE
cas.authn.ldap[0].baseDn=[BASE_DN]
cas.authn.ldap[0].searchFilter=[FILTER]
cas.authn.ldap[0].bindDn=[LDAP_BIND_USER]
cas.authn.ldap[0].bindCredential=[LDAP_BIND_CREDENTIAL]
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].ldapUrl=[CAS_AUTHN_LDAP_LDAPURL]
cas.monitor.ldap.ldapUrl=[CAS_AUTHN_LDAP_LDAPURL]
cas.monitor.ldap.useSsl=false
cas.monitor.ldap.poolPassivator=NONEAlso I guess
minPoolSize=3
maxPoolSize=10are on by default.
Using netstat to monitor the ESTABLISHED connections to our LDAP, I can see that CAS starts up with 18 connections that are then pruned down to 9. These remain after the periodic "validate task" process
I can then see each login creates a new connection to LDAP, even if I login/logout as the same user each time in my browser.
I increased the number of connections, testing this simple way, to 55 connections before stopping.
I could see that these ESTABLISHED connections dropped away over time and eventually, after a few periodic "validate task" scheduled processes I got back down to 9 connections and 3 pools.
I was wondering what behaviour I am seeing here? Why are there 3 connection pools sitting dormant? Is there anything to limit the number of connection pools and thus connections being created? Why do I see no apparent ldap connection re-use?
Am I misunderstanding expected behaviour or have things configured incorrectly?
We've not really changed default settings. (Although I did add poolPassivator=NONE which changed it from the default value of BIND, I believe. Under BIND, I was seeing 4 new connections being created per login!)
I can post more info on our OPEN LDAP if that would be useful?
Many thanks for any advice.
cheers
n99
Nov 6, 2019, 9:16:20 AM11/6/19
to CAS Community
For anyone else who finds themselves scratching their head over this....
cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
is the magic setting if you are using open JDK 9, 11, 12, 13.
and
"The JNDI provider is broken in Java version 9 and later. It is recommend that you use the UnboundID provider with newer versions of Java and ldaptive v1.x" at https://www.ldaptive.org/v1/ (not easy to find on the ldaptive site)
finally got us there.
Shame this is not highlighted as an issue on the CAS 6.0.x docs....esp at the fix with jdk 14 is not out until next year!
Trenton D. Adams
Nov 7, 2019, 1:07:47 PM11/7/19
to cas-...@apereo.org
This is also happening on Java 8 and 5.2.x I'll have to look into whether that's valid for 5.2.x.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bdb832b9-0fd1-4987-9a61-9d61719a8422%40apereo.org.
-- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up!--
This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed.---
Vincent L.
Apr 3, 2020, 4:23:16 AM4/3/20
to CAS Community, tre...@athabascau.ca
thank you!!!!!!!!! thank you!!!!!!!!!!!!!!!!!!!!!!!!!
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bdb832b9-0fd1-4987-9a61-9d61719a8422%40apereo.org.
Francisco Castel-Branco
Apr 21, 2020, 6:08:29 AM4/21/20
to cas-...@apereo.org
I had a similar problem with OpenLDAP and AD. Only one of them could be resolved with that tweak, the other would open connections until it reached the Linux's opened files per process limit (which I didn't know it even existed!).
The only way I could solve that problem was by using the Docker container. I don't have a clue for why that works...
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/99250d88-5fa2-40fc-9b64-c040364bbc71%40apereo.org.
Francisco Castel-Branco
Reply all
Reply to author
Forward
0 new messages