David F. Quiroga created AMBARI-22642: -----------------------------------------
Summary: LDAPS sync Connection Refused Key: AMBARI-22642 URL: https://issues.apache.org/jira/browse/AMBARI-22642 Project: Ambari Issue Type: Bug Components: ambari-server Affects Versions: 2.5.0 Environment: java version "1.8.0_121" Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode) AD Domain Controllers LDAP v.3 2012 R2 OS Reporter: David F. Quiroga Priority: Minor Ambari server configured to use "secure" ldap authentication. authentication.ldap.primaryUrl=********:636 authentication.ldap.useSSL=true We call the ldap_sync_events REST endpoint frequently to synchronize existing groups and a specific list groups. We had no issues with this until mid-October at which point we began to see: {code} "status" : "ERROR", "status_detail" : "Caught exception running LDAP sync. simple bind failed: **********:636; nested exception is javax.naming.CommunicationException: simple bind failed: **********:636 [Root exception is java.net.SocketException: Connection reset]", {code} Troubleshooting: * We saw random success and failure when attempting to sync a single group. * With useSSL=false and an updated port ldap sync was consistently successful. Cause: * By default, ldap connection only uses pooled connections when connecting to a directory server over LDAP. Enabling SSL causes it to disable the pooling, resulting in poorer performance and failures due to connection resets. * Around mid-October we increased the number of groups defined on the system (50+), this pushed us outside the "safe zone". Fix: Enable the SSL connections pooling by adding the below argument to startup options. -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl' Reference: [https://confluence.atlassian.com/jirakb/connecting-jira-to-active-directory-over-ldaps-fails-with-connection-reset-763004137.htm] [https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html] -- This message was sent by Atlassian JIRA (v6.4.14#64029)