jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manfred Baedke (Jira)" <j...@apache.org>
Subject [jira] [Updated] (OAK-8890) LDAP login may fail if a server or intermediate silently drops connections
Date Tue, 05 May 2020 18:28:00 GMT

     [ https://issues.apache.org/jira/browse/OAK-8890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Manfred Baedke updated OAK-8890:
--------------------------------
    Attachment: OAK-8890.patch

> LDAP login may fail if a server or intermediate silently drops connections
> --------------------------------------------------------------------------
>
>                 Key: OAK-8890
>                 URL: https://issues.apache.org/jira/browse/OAK-8890
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-ldap
>            Reporter: Manfred Baedke
>            Assignee: Manfred Baedke
>            Priority: Major
>         Attachments: OAK-8890.patch
>
>
> This has been seen on production systems with Oak 1.10.2, where a firewall was configured
to drop idle connections after a timeout without sending an RST (for security reasons). When
this happens, the connection pool used by the LdapPrincipalProvider will still consider these
connections healthy. Eventually such a connection will be used for an actual LDAP BIND/SEARCH,
which will simply timeout.
> The connection pool is an instance of org.apache.commons.pool.impl.GenericObjectPool,
which has configuration options to deal with the scenario (namely running an eviction task
which will properly close idle connections after a timeout which is shorter than the timeout
interval used by the firewall) .
> The creation of the connection pool used is hard coded and most of the configuration
options are not available. 
> I propose to change that. I'll supply a patch soon.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message