[
https://issues.apache.org/jira/browse/AMBARI-22642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16291871#comment-16291871
]
Hadoop QA commented on AMBARI-22642:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12902088/ambari-22642.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
ambari-server.
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/12845//console
This message is automatically generated.
> LDAPS sync Connection Refused
> ------------------------------
>
> Key: AMBARI-22642
> URL: https://issues.apache.org/jira/browse/AMBARI-22642
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.5.0
> Environment: java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> AD Domain Controllers
> LDAP v.3
> 2012 R2 OS
> Reporter: David F. Quiroga
> Priority: Minor
> Labels: easyfix, patch
> Attachments: ambari-22642.patch
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Ambari server configured to use "secure" ldap authentication.
> authentication.ldap.primaryUrl=********:636
> authentication.ldap.useSSL=true
> We call the ldap_sync_events REST endpoint frequently to synchronize
> existing groups and a specific list groups. We had no issues with this until
> mid-October at which point we began to see:
> {code}
> "status" : "ERROR",
> "status_detail" : "Caught exception running LDAP sync. simple bind
> failed: **********:636; nested exception is
> javax.naming.CommunicationException: simple bind failed: **********:636 [Root
> exception is java.net.SocketException: Connection reset]",
> {code}
> Troubleshooting:
> * We saw random success and failure when attempting to sync a single group.
> * With useSSL=false and an updated port ldap sync was consistently successful.
> Cause:
> * By default, ldap connection only uses pooled connections when connecting to
> a directory server over LDAP. Enabling SSL causes it to disable the pooling,
> resulting in poorer performance and failures due to connection resets.
> * Around mid-October we increased the number of groups defined on the system
> (50+), this pushed us outside the "safe zone".
> Fix:
> Enable the SSL connections pooling by adding the below argument to startup
> options.
> -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'
> Reference:
> [https://confluence.atlassian.com/jirakb/connecting-jira-to-active-directory-over-ldaps-fails-with-connection-reset-763004137.htm]
> [https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html]
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
