[jira] [Created] (AMBARI-22642) LDAPS sync Connection Refused

Wed, 13 Dec 2017 06:08:29 -0800 

David F. Quiroga created AMBARI-22642:
-----------------------------------------

             Summary: LDAPS sync Connection Refused 
                 Key: AMBARI-22642
                 URL: https://issues.apache.org/jira/browse/AMBARI-22642
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.5.0
         Environment: java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

AD Domain Controllers 
LDAP v.3
2012 R2 OS 
            Reporter: David F. Quiroga
            Priority: Minor


Ambari server configured to use "secure" ldap authentication. 
authentication.ldap.primaryUrl=********:636
authentication.ldap.useSSL=true

 We call the ldap_sync_events REST endpoint frequently to synchronize existing 
groups and a specific list groups.  We had no issues with this until 
mid-October at which point we began to see:
{code}
    "status" : "ERROR",
    "status_detail" : "Caught exception running LDAP sync. simple bind failed: 
**********:636; nested exception is javax.naming.CommunicationException: simple 
bind failed: **********:636 [Root exception is java.net.SocketException: 
Connection reset]",
{code}

Troubleshooting: 
* We saw random success and failure when attempting to sync a single group. 
* With useSSL=false and an updated port ldap sync was consistently successful.

Cause:
* By default, ldap connection only uses pooled connections when connecting to a 
directory server over LDAP. Enabling SSL causes it to disable the pooling, 
resulting in poorer performance and failures due to connection resets. 
* Around mid-October we increased the number of groups defined on the system 
(50+), this pushed us outside the "safe zone".

Fix:
Enable the SSL connections pooling by adding the below argument to startup 
options.
-Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'

Reference: 
[https://confluence.atlassian.com/jirakb/connecting-jira-to-active-directory-over-ldaps-fails-with-connection-reset-763004137.htm]
[https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html]

  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to