[jira] [Commented] (OAK-8890) LDAP login may fail if a server or intermediate silently drops connections

Wed, 05 Feb 2020 09:59:20 -0800 


    [ 
https://issues.apache.org/jira/browse/OAK-8890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17030881#comment-17030881
 ] 

Manfred Baedke commented on OAK-8890:
-------------------------------------

It wouldn't be a good idea to expose every available config option (see 
https://commons.apache.org/proper/commons-pool/api-2.8.0/index.html), since 
these are implementation details of apache.commons.pool2. Currently exactly one 
of these options is configurable, namely the pool size. To fix the issue at 
hand, we'd need a background job evicting idle connections after a configurable 
timeout interval. The default implementation 
(https://commons.apache.org/proper/commons-pool/api-2.8.0/org/apache/commons/pool2/impl/DefaultEvictionPolicy.html)
 has such an option, which is disabled by default. I'd go for the simplest 
solution and offer two additional config option allowing to set the time 
between two eviction runs and the minimum idle time after which a connection 
shall be evicted. A patch will follow tomorrow.

> LDAP login may fail if a server or intermediate silently drops connections
> --------------------------------------------------------------------------
>
>                 Key: OAK-8890
>                 URL: https://issues.apache.org/jira/browse/OAK-8890
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-ldap
>            Reporter: Manfred Baedke
>            Assignee: Manfred Baedke
>            Priority: Major
>
> This has been seen on production systems with Oak 1.10.2, where a firewall 
> was configured to drop idle connections after a timeout without sending an 
> RST (for security reasons). When this happens, the connection pool used by 
> the LdapPrincipalProvider will still consider these connections healthy. 
> Eventually such a connection will be used for an actual LDAP BIND/SEARCH, 
> which will simply timeout.
> The connection pool is an instance of 
> org.apache.commons.pool.impl.GenericObjectPool, which has configuration 
> options to deal with the scenario (namely running an eviction task which will 
> properly close idle connections after a timeout which is shorter than the 
> timeout interval used by the firewall) .
> The creation of the connection pool used is hard coded and most of the 
> configuration options are not available. 
> I propose to change that. I'll supply a patch soon.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to