[
https://issues.apache.org/jira/browse/AMBARI-22642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16484655#comment-16484655
]
Robert Levas commented on AMBARI-22642:
---------------------------------------
[~quirogadf]...
This patch needs to be reverted because on some platforms, the single quote is
causing startup failures. We need to convert
{code:java}
export AMBARI_JVM_ARGS=$AMBARI_JVM_ARGS"
-Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'
-Dcom.sun.jndi.ldap.connect.pool.maxsize=20
-Dcom.sun.jndi.ldap.connect.pool.timeout=300000"
{code}
to
{code:java}
export AMBARI_JVM_ARGS="$AMBARI_JVM_ARGS
-Dcom.sun.jndi.ldap.connect.pool.protocol=\"plain ssl\"
-Dcom.sun.jndi.ldap.connect.pool.maxsize=20
-Dcom.sun.jndi.ldap.connect.pool.timeout=300000"
{code}
The revert is being done in [PR
#1357|https://github.com/apache/ambari/pull/1357]
> LDAPS sync Connection Refused
> ------------------------------
>
> Key: AMBARI-22642
> URL: https://issues.apache.org/jira/browse/AMBARI-22642
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.5.0
> Environment: java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
> AD Domain Controllers
> LDAP v.3
> 2012 R2 OS
> Reporter: David F. Quiroga
> Assignee: David F. Quiroga
> Priority: Minor
> Labels: easyfix, patch, pull-request-available
> Fix For: 2.7.0
>
> Attachments: ambari-22642.patch
>
> Original Estimate: 24h
> Time Spent: 2.5h
> Remaining Estimate: 21.5h
>
> Ambari server configured to use "secure" ldap authentication.
> authentication.ldap.primaryUrl=********:636
> authentication.ldap.useSSL=true
> We call the ldap_sync_events REST endpoint frequently to synchronize
> existing groups and a specific list groups. We had no issues with this until
> mid-October at which point we began to see:
> {code}
> "status" : "ERROR",
> "status_detail" : "Caught exception running LDAP sync. simple bind
> failed: **********:636; nested exception is
> javax.naming.CommunicationException: simple bind failed: **********:636 [Root
> exception is java.net.SocketException: Connection reset]",
> {code}
> Troubleshooting:
> * We saw random success and failure when attempting to sync a single group.
> * With useSSL=false and an updated port ldap sync was consistently successful.
> Cause:
> * By default, ldap connection only uses pooled connections when connecting to
> a directory server over LDAP. Enabling SSL causes it to disable the pooling,
> resulting in poorer performance and failures due to connection resets.
> * Around mid-October we increased the number of groups defined on the system
> (50+), this pushed us outside the "safe zone".
> Fix:
> Enable the SSL connections pooling by adding the below argument to startup
> options.
> -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'
> Reference:
> [https://confluence.atlassian.com/jirakb/connecting-jira-to-active-directory-over-ldaps-fails-with-connection-reset-763004137.htm]
> [https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
