This issue looks to have just bit us with 4.2.x, as well. A network configuration error led to losing two of our four CAS servers at a busy time of day. Some fraction of the users needed to re-login, so there was a natural increase in LDAP pool connections. Every time the validator ran, each connection in the pool failed validation, forcing the creation of a new set of connections. We didn't notice this behavior earlier but, now that we look at it, it's been there all along.
Tom. > On Feb 13, 2017, at 2:11 AM, Ben Howell-Thomas > <[email protected]> wrote: > > Hi, > > I think I may have found an issue but per guidelines posting here first. > > When CAS is configured to authenticate with LDAP using Direct Bind and LDAP > is locked down to not allow anonymous binds/searches or for users to see > anything other than their own entry, then we get unexpected failures trying > to log in. > > For wrong passwords or locked accounts, every second attempt [with a given > Ldap connection from the pool] would fail. Actually, it would also fail for > a valid account with the correct password if it was on the same connection as > a failed login attempt, and the regular connection validator would similarly > fail. > > What's happening in Ldaptive is as follows : > • Before a bind attempt, a SearchValidator checks the connection is > still valid > • To make the bind attempt, org.ldaptive.provider.jndi.JndiConnection > sets the principal and credentials on the connection's environment variable > • This connection is then returned to the pool, still containing the > principal and credentials from the previous attempt. > • Before the next login/bind attempt using that connection, > SearchValidator tries to validate the connection again but fails, because > it's no longer trying with the configured cas.properties > cas.authn.ldap.bindDn property but with whatever user DN was used in the > previous step > • Since the SearchValidator fails, the connection is closed and an > exception is returned, so CAS denies access by default (even if we should > show the Account Locked page). > I asked the Ldaptive mailing list about this which put me on to the > org.ldaptive.pool.BindPassivator class which reconnects to LDAP with the > configured DN and credentials, effectively resetting the connection to what > it should be after each bind request. That way the connection is returned to > the pool ready to be used again. > > Adding the following to our version of > LdapAuthenticationConfiguration.getDirectBindAuthenticator() implemented a > BindPassivator to restore expected behaviour : > > /* > * Binding (which we do both when validating connections and authenticating > users) using pooled connections is "tricky" > * according to the Ldaptive mailing list. The connection must be returned > to the pool ready for the next connection > * to use (ie not binded as the previous user). Set a BindPassivator to clean > the connection when it's returned to the pool. > */ > ConnectionPool cp = > pooledBindAuthenticationHandler.getConnectionFactory().getConnectionPool(); > BindRequest br = new BindRequest(l.getBindDn(), new > Credential(l.getBindCredential())); > cp.setPassivator(new BindPassivator(br)); > > Another workaround of course would be to change the LDAP configuration. > > thanks, > > Ben > > # ps some relevant LDAP settings for reference > cas.authn.ldap[0].type=DIRECT > cas.authn.ldap[0].useSsl=false > cas.authn.ldap[0].useStartTls=false > cas.authn.ldap[0].connectTimeout=5000 > cas.authn.ldap[0].subtreeSearch=false > cas.authn.ldap[0].bindDn=uid=cas,ou=Administrators,dc=domain,dc=com > cas.authn.ldap[0].bindCredential=password > cas.authn.ldap[0].minPoolSize=3 > cas.authn.ldap[0].maxPoolSize=10 > cas.authn.ldap[0].validateOnCheckout=true > cas.authn.ldap[0].validatePeriodically=true > cas.authn.ldap[0].validatePeriod=600 > cas.authn.ldap[0].failFast=true > cas.authn.ldap[0].idleTime=500 > cas.authn.ldap[0].prunePeriod=600 > cas.authn.ldap[0].blockWaitTime=5000 > > This email is sent on behalf of Northgate Public Services (UK) Limited and > its associated companies including Rave Technologies (India) Pvt Limited > (together "Northgate Public Services") and is strictly confidential and > intended solely for the addressee(s). > If you are not the intended recipient of this email you must: (i) not > disclose, copy or distribute its contents to any other person nor use its > contents in any way or you may be acting unlawfully; (ii) contact Northgate > Public Services immediately on +44(0)1908 264500 quoting the name of the > sender and the addressee then delete it from your system. > Northgate Public Services has taken reasonable precautions to ensure that no > viruses are contained in this email, but does not accept any responsibility > once this email has been transmitted. You should scan attachments (if any) > for viruses. > > Northgate Public Services (UK) Limited, registered in England and Wales under > number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding > Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN. Rave > Technologies (India) Pvt Limited, registered in India under number 117068 > with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, > Ballard Estate, Mumbai, Maharashtra, India, 400001. > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8psvuk%2Br_kUnBhM4MP9sK8%2Bm80VFGF5sqRNbzxYUn0Az1A%40mail.gmail.com. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9BE363E2-1316-406C-A3EB-D97AA60A3247%40ucdavis.edu.
