tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Handling LDAP flakiness
Date Fri, 14 Jun 2013 21:18:33 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Patrick,

On 6/14/13 4:55 PM, patrick conant wrote:
> I’ve got Tomcat configured with a JNDI Realm talking to Microsoft
> Active Directory over LDAP.  It works perfectly when
> ActiveDirectory works; but when ActiveDirectory gets flaky (which
> it sometimes does), Tomcat doesn’t handle it well.  In one
> particular case, I’ve got one thread stuck trying to talk to
> ActiveDirectory and 199 additional threads waiting for the first 
> thread to release its lock on the JNDIRealm.  Relevant bits of the
> stack dump are below.
> 
> My first question is: is there a way to configure the JNDIRealm to
> be more fault-tolerant?  It looks like I could add an alternateURL
> attribute -- but in this case, it seems like the connection is hung
> and the JNDIRealm doesn't recognize a failure, so it wouldn't fail
> over to the alternateURL. Is there anything else I can do to allow
> the JNDIRealm to recover from this situation?
> 
> My second question is: really -- authentication is serialized?
> Then I realized that the big bold TODO in the docs would address
> this problem. ( 
> http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/JNDIRealm.html).
>
> 
Bummer.  I ought to get coding on that...

What is your "timeLimit" attribute set to on this <Realm>? The default
timeout is infinite...

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRu4ipAAoJEBzwKT+lPKRYKjAP+wY9DQmicgVl7wYJ+ZwJd9Dp
JVZHaxS1zaG4mAARyRcfH6Zgq47hYoroIoWEajV0VP3FVzux4M6zhFRtqu8LDthm
jq7OlrmlQufUfgqqGIAUqg6BaDscl67VohRAS/odJpyItAQ11KKoxCd+A6kr1Slm
RJHBirpyURX3u9p/SbB4G9Jz2cMELwckzT9OQsidZ7ylmb1Y+CXbAntzDmMEuf7/
p4dDHOKkc4FipagO4dJOpDw+WUYgSoqhCVDaP5wf6/gpZU5oPU/u0MY3drnI0lhE
ofAdnGGntgORp9JpvtnZeyTm8PWLfbRmWqRVH6kDczzgoUoRRcoMJqdg9g4f7Z9A
k9a+WDazPbapMXKK+tJ0gG4KDD7x1jy6hzOjAI8iz59kRrDoRS/ESJzsIg0IaWMh
qewLMthnjPoo7P+CRCSxKBTbPb2sbYEquWQ0M9y+0BEdgTqOpO7fDG6RVMLJFnhP
Mmf0HWKN0JLBgIT5DU7wpCwFONyGOmHF6poSIOPRtjYprXv4EP9Q7trS7BrLPg2h
a4vXAUz5ihQJ6tyz7aSPS7P+e/sd2Ha1x/er+kGou49dtdX8MxPhh3ZB+ATpYJBP
/ZPqf3ERo+8AnCv4ZHhuJBn2uhyFNc2XacoNS1LUGIfrJR4AVYli5ZVJP8cqA8E3
i+C6pIQobmKzBtT9Uumd
=4AXj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message