ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David F. Quiroga (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-22642) LDAPS sync Connection Refused
Date Wed, 13 Dec 2017 14:38:00 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-22642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David F. Quiroga updated AMBARI-22642:
--------------------------------------
    Attachment:     (was: ambari-env.patch)

> LDAPS sync Connection Refused 
> ------------------------------
>
>                 Key: AMBARI-22642
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22642
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.5.0
>         Environment: java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> AD Domain Controllers 
> LDAP v.3
> 2012 R2 OS 
>            Reporter: David F. Quiroga
>            Priority: Minor
>              Labels: easyfix, patch
>         Attachments: ambari-22642.patch
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Ambari server configured to use "secure" ldap authentication. 
> authentication.ldap.primaryUrl=********:636
> authentication.ldap.useSSL=true
>  We call the ldap_sync_events REST endpoint frequently to synchronize existing groups
and a specific list groups.  We had no issues with this until mid-October at which point we
began to see:
> {code}
>     "status" : "ERROR",
>     "status_detail" : "Caught exception running LDAP sync. simple bind failed: **********:636;
nested exception is javax.naming.CommunicationException: simple bind failed: **********:636
[Root exception is java.net.SocketException: Connection reset]",
> {code}
> Troubleshooting: 
> * We saw random success and failure when attempting to sync a single group. 
> * With useSSL=false and an updated port ldap sync was consistently successful.
> Cause:
> * By default, ldap connection only uses pooled connections when connecting to a directory
server over LDAP. Enabling SSL causes it to disable the pooling, resulting in poorer performance
and failures due to connection resets. 
> * Around mid-October we increased the number of groups defined on the system (50+), this
pushed us outside the "safe zone".
> Fix:
> Enable the SSL connections pooling by adding the below argument to startup options.
> -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'
> Reference: 
> [https://confluence.atlassian.com/jirakb/connecting-jira-to-active-directory-over-ldaps-fails-with-connection-reset-763004137.htm]
> [https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html]
>   



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message