Hi All, We are using LDAPLoginModule with Active Directory. For some reason, when LDAP server is restarted, it begins to listen LDAP port, but returns authentication errors until it was fully loaded. Usually it takes about 30-60 seconds to begin normal operation. In this period applications cannot connect to the broker due to login failure.
The error is: Failed to open context javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09050F, comment: AcceptSecurityContext error, data 52e, v4f7c^@] Caused by: javax.security.auth.login.FailedLoginException: Error opening LDAP connection I have configured noCacheExceptions with this exception and most common errors which can be received when connecting to LDAP, but it helps only to avoid caching these errors, not to completely avoid it (even if we have specified two servers in LDAP connection URL). Is it possible to handle this exception in the LDAPLoginModule and assume that this server is not operational, and it needs to try to connect to another server? Example LDAPLoginModule configuration section: org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required debug=true initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory" ignorePartialResultException=true noCacheExceptions="javax.naming.AuthenticationException,java.net.ConnectException,java.net.SocketTimeoutException,java.net.NoRouteToHostException,java.net.SocketException" connectionURL="ldaps://server1.domain.tld:636 ldaps://server2.domain.tld:636" connectionUsername="user_for_ldap_bind" connectionPassword="" connectionProtocol="s" connectionTimeout="5000" readTimeout="5000" authentication=simple userBase="DC=domain,DC=tld" userSearchMatching="(sAMAccountName={0})" userSearchSubtree=true userRoleName="memberOf" roleName="CN" ; I also read documentation for JNDI LDAP (https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html section 6.2) and found that I can specify URL in format like "ldaps://DC=domain,DC=tld". It could work as auto-discovery for LDAP service. The result was strange: broker tries to connect randomly to each domain controller to port 389 (not LDAPS 636) and receives connection refused (probably because each server's name was FQDN with "." on the end): javax.naming.CommunicationException: server1.domain.tld.:389 -- Best regards, Aleksandr ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. AO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. -----------------------------------