[
https://issues.apache.org/jira/browse/OAK-8890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manfred Baedke updated OAK-8890:
--------------------------------
Attachment: (was: OAK-8890.patch)
> LDAP login may fail if a server or intermediate silently drops connections
> --------------------------------------------------------------------------
>
> Key: OAK-8890
> URL: https://issues.apache.org/jira/browse/OAK-8890
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-ldap
> Reporter: Manfred Baedke
> Assignee: Manfred Baedke
> Priority: Major
>
> This has been seen on production systems with Oak 1.10.2, where a firewall
> was configured to drop idle connections after a timeout without sending an
> RST (for security reasons). When this happens, the connection pool used by
> the LdapPrincipalProvider will still consider these connections healthy.
> Eventually such a connection will be used for an actual LDAP BIND/SEARCH,
> which will simply timeout.
> The connection pool is an instance of
> org.apache.commons.pool.impl.GenericObjectPool, which has configuration
> options to deal with the scenario (namely running an eviction task which will
> properly close idle connections after a timeout which is shorter than the
> timeout interval used by the firewall) .
> The creation of the connection pool used is hard coded and most of the
> configuration options are not available.
> I propose to change that. I'll supply a patch soon.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
