[cas-user] Intermittent LDAP Connection Reset
826 views
Skip to first unread message
Tadeusz Sacilowski
Apr 21, 2015, 10:52:39 PM4/21/15
to cas-...@lists.jasig.org
Hello,
We are in the process of updating our CAS to version 3.5.3 using an LDAP (not LDAPS at the moment) for attributes. The current setup is two CAS nodes behind an f5 LTM for load balancing, using the Ehcache distributed ticket registry. All seems to be working ok for the most part except that we get the following intermittent login error:
:org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp'
Here are the first several lines from the trace in the CAS log:
ERROR [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler threw error authenticating [username: teststudent]
org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:100)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:318)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:360)
at org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal(BindLdapAuthenticationHandler.java:90)
at org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:71)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
I've seen some related post here but haven't found any documented resolutions. Any suggestions on how to troubleshoot this?
Thank you,
Teddy
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
We are in the process of updating our CAS to version 3.5.3 using an LDAP (not LDAPS at the moment) for attributes. The current setup is two CAS nodes behind an f5 LTM for load balancing, using the Ehcache distributed ticket registry. All seems to be working ok for the most part except that we get the following intermittent login error:
:org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp'
Here are the first several lines from the trace in the CAS log:
ERROR [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler threw error authenticating [username: teststudent]
org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:100)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:318)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:360)
at org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal(BindLdapAuthenticationHandler.java:90)
at org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:71)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
I've seen some related post here but haven't found any documented resolutions. Any suggestions on how to troubleshoot this?
Thank you,
Teddy
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Perrin Jr, David
Apr 22, 2015, 9:20:35 AM4/22/15
to cas-...@lists.jasig.org
Hi Teddy,
Frustrated by similar timeout messages, I cobbled together a one page web app running on a CAS server that shows speedometer-like gauges indicating how long it takes to bind and search directory services used by CAS. I use it to help isolate connectivity problems - if our directory systems are under load, a gauge will typically report longer than normal bind and search times; if there is a freak networking anomaly the app will show a timeout.
If you haven't already, you might take a look at the con.sun.jndi.ldap read and bind timeout values in your cas.properties file to see if they are at a level that is reasonable for your systems and acceptable for your users. Another thought is to bump up the log level from INFO to DEBUG for a time and see if any patterns jump out.
My experience is limited to just a few years and the only time a CommunicationException could be credited to the CAS app or a CAS server was when the read and bind timeout values were set too low. Most always the cause is connectivity to a directory or an overloaded directory system.
Good luck!
Dave
You are currently subscribed to cas-...@lists.jasig.org as: dpe...@keene.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Frustrated by similar timeout messages, I cobbled together a one page web app running on a CAS server that shows speedometer-like gauges indicating how long it takes to bind and search directory services used by CAS. I use it to help isolate connectivity problems - if our directory systems are under load, a gauge will typically report longer than normal bind and search times; if there is a freak networking anomaly the app will show a timeout.
If you haven't already, you might take a look at the con.sun.jndi.ldap read and bind timeout values in your cas.properties file to see if they are at a level that is reasonable for your systems and acceptable for your users. Another thought is to bump up the log level from INFO to DEBUG for a time and see if any patterns jump out.
My experience is limited to just a few years and the only time a CommunicationException could be credited to the CAS app or a CAS server was when the read and bind timeout values were set too low. Most always the cause is connectivity to a directory or an overloaded directory system.
Good luck!
Dave
Christopher Myers
Apr 22, 2015, 9:58:27 AM4/22/15
to cas-...@lists.jasig.org
Out of curiosity, have you tried to wireshark the ldap connection to see what the servers are saying?
Or, if you're lucky enough to be pointing against eDirectory, an ndstrace on the ldap server will provide a lot of details about what it's doing and seeing as well.
>>> Tadeusz Sacilowski <ts2...@tc.columbia.edu> 04/21/15 9:52 PM >>>
Or, if you're lucky enough to be pointing against eDirectory, an ndstrace on the ldap server will provide a lot of details about what it's doing and seeing as well.
>>> Tadeusz Sacilowski <ts2...@tc.columbia.edu> 04/21/15 9:52 PM >>>
Hello,
We are in the process of updating our CAS to version 3.5.3 using an LDAP (not LDAPS at the moment) for attributes. The current setup is two CAS nodes behind an f5 LTM for load balancing, using the Ehcache distributed ticket registry. All seems to be working ok for the most part except that we get the following intermittent login error:
:org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp'
Here are the first several lines from the trace in the CAS log:
ERROR [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler threw error authenticating [username: teststudent]
org.springframework.ldap.CommunicationException: Connection reset; nested exception is javax.naming.CommunicationException: Connection reset [Root exception is java.net.SocketException: Connection reset]; remaining name 'ou=People,o=cp'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:100)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:318)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:360)
at org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal(BindLdapAuthenticationHandler.java:90)
at org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:71)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
I've seen some related post here but haven't found any documented resolutions. Any suggestions on how to troubleshoot this?
Thank you,
Teddy
--
You are currently subscribed to cas-...@lists.jasig.org as: cmy...@mail.millikin.edu
Reply all
Reply to author
Forward
0 new messages