jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manfred Baedke (Jira)" <j...@apache.org>
Subject [jira] [Resolved] (OAK-8890) LDAP login may fail if a server or intermediate silently drops connections
Date Wed, 06 May 2020 12:55:00 GMT

     [ https://issues.apache.org/jira/browse/OAK-8890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Manfred Baedke resolved OAK-8890.
    Fix Version/s: 1.28.0
       Resolution: Fixed

> LDAP login may fail if a server or intermediate silently drops connections
> --------------------------------------------------------------------------
>                 Key: OAK-8890
>                 URL: https://issues.apache.org/jira/browse/OAK-8890
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-ldap
>            Reporter: Manfred Baedke
>            Assignee: Manfred Baedke
>            Priority: Major
>             Fix For: 1.28.0
>         Attachments: OAK-8890.patch
> This has been seen on production systems with Oak 1.10.2, where a firewall was configured
to drop idle connections after a timeout without sending an RST (for security reasons). When
this happens, the connection pool used by the LdapPrincipalProvider will still consider these
connections healthy. Eventually such a connection will be used for an actual LDAP BIND/SEARCH,
which will simply timeout.
> The connection pool is an instance of org.apache.commons.pool.impl.GenericObjectPool,
which has configuration options to deal with the scenario (namely running an eviction task
which will properly close idle connections after a timeout which is shorter than the timeout
interval used by the firewall) .
> The creation of the connection pool used is hard coded and most of the configuration
options are not available. 
> I propose to change that. I'll supply a patch soon.

This message was sent by Atlassian Jira

View raw message