cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilya <ilya.mailing.li...@gmail.com>
Subject Re: LDAP auth failures
Date Tue, 08 Mar 2016 21:49:43 GMT
I could not get LDAP to work as well in 4.5.x, i could get it to work in 4.3

I also get no stacktrace as to what could be wrong.



On 3/3/16 4:53 AM, Rene Moser wrote:
> We are experiencing authentication issues with LDAP since upgrade to 4.5.1.
> 
> After some time (...), users can not authenticate anymore, however,
> authentication in other services using ldap works during this time. The
> issue is only related to cloudstack login it seems.
> 
> We haven't found the root cause yet, a network setup issue or openldap
> config issue can not be excluded.
> 
> Stacktrace:
> 
> 2016-02-29 10:05:36,375 DEBUG [cloudstack.ldap.LdapContextFactory]
> (catalina-exec-4:ctx-9ffa7c60) initializing ldap with provider url:
> ldap://ldap.example.com:389
> 2016-02-29 10:05:42,382 DEBUG [cloudstack.ldap.LdapManagerImpl]
> (catalina-exec-4:ctx-9ffa7c60) ldap Exception:
> javax.naming.NamingException: LDAP response read timed out, timeout
> used:6000ms.; remaining name 'dc=foo,dc=bar'
> 	at com.sun.jndi.ldap.Connection.readReply(Connection.java:485)
> 	at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:639)
> 	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:562)
> 	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
> 	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
> 	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
> 	at
> org.apache.cloudstack.ldap.LdapUserManager.searchUsers(LdapUserManager.java:206)
> 	at
> org.apache.cloudstack.ldap.LdapUserManager.getUser(LdapUserManager.java:122)
> 	at
> org.apache.cloudstack.ldap.LdapManagerImpl.getUser(LdapManagerImpl.java:173)
> 	at
> org.apache.cloudstack.ldap.LdapManagerImpl.canAuthenticate(LdapManagerImpl.java:97)
> 	at
> org.apache.cloudstack.ldap.LdapAuthenticator.authenticate(LdapAuthenticator.java:61)
> 2016-02-29 10:05:42,383 DEBUG [cloudstack.ldap.LdapManagerImpl]
> (catalina-exec-4:ctx-9ffa7c60) Exception while doing an LDAP bind for
> user  johndoe
> org.apache.cloudstack.ldap.NoLdapUserMatchingQueryException: No users
> matching: No Ldap User found for username: johndoe
> 
> As I understand there is a username lookup (bind with top reader
> credentials) to see if a user exists in the ldap. if found a new
> connection will be etablished for auth. In the above stacktrace it seem
> that the username lookup fails.
> 
> Further we see on the ACS management server however, is that LDAP
> connection are not going to be closed at any time.
> 
> For _every_ successful auth, the tcp connection remains established forever.
> 
> In my understanding of
> http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
> these connections will become idle after successful authentication and
> reused for new authentication.
> 
> However, the reuse for the auth doesn't seem to work. _Every_ new
> successful auth of a user _creates_ a new ldap connection. We don't know
> if this is related to our problem, but at least it doesn't look like a
> wanted behavior.
> 
> In the docs we read: "By default, idle connections remain in the pool
> indefinitely until they are garbage-collected"
> 
> But as said, they seem never be gc-ed. After we added
> -Dcom.sun.jndi.ldap.connect.pool.timeout=60000 to the
> /etc/cloudstack/management/tomcat6.conf which resulted in the
> connections beeing gc-ed and we didn't have any report about missing
> login since then.
> 
> Has anyone also see such an issue? Any thoughts?
> 
> René
> 

Mime
View raw message