Hello,In our organization, we have a similar CAS configuration : LDAP bind across multiple branches, and use of SSL to secure connection between CAS and LDAP. About pooling :
- You cannot pool connections used to validate login/password, as you've seen,- The only connection which can be pooled is the ones used to lookup users, retrieve attributes, connections that uses anonymous or only one LDAP user.
Unfortunately CAS (at least 3.3.5 -> 3.4.8) without modifications does not allow you to configure multiple ContextSources. I've opened a jira issue ( https://issues.jasig.org/browse/CAS-987 ) about that.
Rgds. Le 17/06/2011 09:47, Tim Peters a écrit :
Hi all,
I'm wondering if anyone has run into this problem before, or can provide
any suggestions.
We use LDAP as the backend for our CAS service. The LDAP server is
clustered behind a content switch, which handles the SSL. Recently the
context switch has started to randomly drop connections under high
load. In CAS, this shows up as an error looking like this:
2011-06-17 16:38:41,634 ERROR
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[cas]]
-<Servlet.service() for servlet cas threw exception>
javax.naming.ServiceUnavailableException: ldap:636; socket closed
at com.sun.jndi.ldap.Connection.readReply(Connection.java:419)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
[long stacktrace snipped]
Since our CAS server is one of the heaviest users of our LDAP server,
our systems team asked us to look into connection pooling. Our LDAP
configuration is pretty ordinary (host/tree info redacted):
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>ldaps://ldap:636/</value>
</list>
</property>
<property name="userDn" value="cn=CAS TaskID,ou=xxx" />
<property name="password" value="..." />
<property name="baseEnvironmentProperties">
<map>
<entry key="java.naming.security.authentication"
value="simple" />
<entry key="java.naming.referral" value="follow"
/>
</map>
</property>
</bean>
and in authenticationHandlers:
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="uid=%u"
/>
<property name="searchBase"
value="dc=xxx" />
<property name="contextSource"
ref="contextSource" />
</bean>
Since the contextSource bean says pooled=true, we wondered why it wasn't
already pooling connections (we know it wasn't because netstat | grep
ldap would never show any connections). After reading the spring
framework documentation here:
http://download.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
we found out that by default, it doesn't pool LDAP connections over
SSL. So we added this JVM startup argument:
-Dcom.sun.jndi.ldap.connect.pool.protocol=ssl
Sadly, this didn't work the way we hoped. It turns out the pooling uses
the binding username as part of the key to determine if a connection can
be reused. So the second connection made by the
BindLdapAuthenticationHandler, which binds as the user logging in, would
only re-use a connection if it had the same username as a previous
connection. In other words, the pool contains 1 connection for each user
authenticating to CAS, and those connections are only ever used once.
Not a very useful pool!
Within a few minutes, the netstat table showed hundreds of ESTABLISHED
connections to the LDAP server, the number increasing quickly. We backed
this change out :)
I apologise for taking so long to get to a question, but the background
might be important. The question is: does anyone know of a way to pool
SSL connections to LDAP, so that the connections are reused by multiple
binds for multiple users? I'm pretty sure the LDAP protocol allows
multiple binds on the same connection, although I haven't tested it. So
I think this should be possible, I just can't see a way to do it within
the spring LDAP framework.
Also, in case it matters, we can't use the
FastBindLdapAuthenticationHandler because we need to authenticate users
across several LDAP branches.
Thanks in advance for any suggestions. Regards,
Tim
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: S/MIME Cryptographic Signature
