[jira] [Resolved] (ARTEMIS-4712) Remove LDAP connection pooling

Fri, 12 Apr 2024 14:44:03 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Bertram resolved ARTEMIS-4712.
-------------------------------------
    Fix Version/s: 2.34.0
       Resolution: Fixed

> Remove LDAP connection pooling
> ------------------------------
>
>                 Key: ARTEMIS-4712
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4712
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>            Reporter: Justin Bertram
>            Assignee: Justin Bertram
>            Priority: Major
>             Fix For: 2.34.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The {{LDAPLoginModule}} supports connection pooling, but there have been 
> reports of weird behavior with pooling vs. without. For example, with pooling 
> once a login failure occurs subsequent login attempts also fail - even if 
> credentials are valid. However, without pooling this behavior is never seen.
> Upon further investigation the [Oracle 
> documentation|https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/pool.html]
>  says this:
> bq. Pooled connections are intended to be reused. Therefore, if you plan to 
> perform operations on a Context instance that might alter the underlying 
> connection's state, then you should not use connection pooling for that 
> Context instance. For example, if you plan to invoke the Start TLS extended 
> operation on a Context instance, or plan to change security-related 
> properties (such as "java.naming.security.principal" or 
> "java.naming.security.protocol") after the initial context has been created, 
> you should not use connection pooling for that Context instance because the 
> LDAP provider does not track any such state changes. If you use connection 
> pooling in such situations, you might be compromising the security of your 
> application.
> The {{LDAPLoginModule}} does, in fact, modify the 
> {{java.naming.security.principal}} of the {{Context}} (i.e. in the 
> {{bindUser}} method). Although the {{Context}} is immediately reset to the 
> original values (ostensibly restoring normal pool behavior) the pooling 
> functionality should be removed in an abundance of caution.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to