subject:"Re\: \[cas\-user\] LDAP timeouts after Java upgrade"

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-15 Thread Daniel Fisher

On Wed, May 13, 2020 at 2:43 PM Baron Fujimoto  wrote:

>
> 2) We've empirically determined that if we shorten the default value for
> the LDAP pool validation from 600s to, say, 60s
> (cas.authn.ldap[0].validatePeriod=60) then this also mitigates the timeout
> problem. The shortened pool validation period seems to be sufficient to
> function as some sort of keepalive.
>

Sounds to me like your LB is terminating idle connections at around 60
seconds and that manifests with the JNDI error you're seeing. Network
appliances don't always do the best job of tearing down connections. This
feels like a half close scenario, where the LB terminates the connection to
the LDAP, but never sends a TCP reset to the client.


> Yet an actual AuthN succeeds via /cas/login. These AuthN attempts fail
> with the timeout error if we have not sufficiently shortened
> validatePeriod. Does this suggest that while validatePeriodically is
> failing (and adding a new connection on detecting the failure),
> validateOnCheckout is succeeding? And the shortened validatePeriod is
> somehow enabling this?
>

validateOnCheckout would only succeed if the connection being used was
under the 60 second idle timeout. Otherwise I would expect it to fail based
on your description of the problem. The reason it fails is that this
particular problem isn't manifesting as a connectivity error, it's
manifesting as a configuration error for response timeout. If you were
getting a typical TCP error a reconnect would happen naturally.


>
> Another aspect puzzling us is that, despite the PoolSizes being set to 1,
> CAS apparently attempts to validate 3 connections per periodic check. This
> appears to be supported by netstat's output, which also reports three
> connections:
>
> tcp0  0 cas.example.edu:42090  ldap.example.edu:ldaps
> ESTABLISHED
> tcp0  0 cas.example.edu:42088  ldap.example.edu:ldaps
> ESTABLISHED
> tcp0  0 cas.example.edu:42086  ldap.example.edu:ldaps
> ESTABLISHED
>
>
This isn't surprising, it's likely you've configured three distinct pools.
One for DN resolution, one for binds and one for entry resolution. (That
may be the CAS default...)

We also note that even when we have the larger, default value for
> validatePeriod that results in the timeout failures, netstat still shows
> the 3 three connections to ldap, so the OS still thinks the connections
> exists.
>

More evidence that you have a half open connection. What does netstat on
your directory report?

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwS%2BANwbmsRocqbwAmr8QZLpE36nskbOq3CQZ5O%2BubKqxQ%40mail.gmail.com.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-13 Thread Baron Fujimoto


On Wed, May 06, 2020 at 08:40:51AM -1000, Baron Fujimoto wrote:

On Wed, May 06, 2020 at 02:15:39PM -0400, Daniel Fisher wrote:

On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto  wrote:


On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote:

On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto  wrote:


We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
authentication and attributes. We were previously using Java 1.0.8_212
successfully. However, I recently upgraded the instance to use the

current

version of Java (251), and after doing so noticed that the LDAP

connections

quickly begin to time out with the following error:

javax.naming.NamingException: LDAP response read timed out, timeout
used:-1ms


Do you have a responseTimeout duration configured?


Not in our cas.properties, nor do I see a *responseTimeout in any of the
properties in the CAS 5.0.x cas.properties refererence here:

<
https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html




For the JNDI, I only find

com.sun.jndi.ldap.connect.timeout
com.sun.jndi.ldap.read.timeout
sun.jndi.ldap.connect.pool.timeout




https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html




Can you elaborate on this responseTimeout?



Looks like this property isn't available in CAS until v5.1.0.

Can you tell how long these operations are waiting? With that value set to
-1 it should default to the system TCP timeout.


I'm not sure what the best way to determine that time period? From our CAS 
debug logs, I see:

2020-05-06 07:57:31,653 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2020-05-06 07:57:31,653 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2020-05-06 07:57:31,653 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2020-05-06 07:57:31,654 DEBUG [org.ldaptive.SearchOperation] - 
2020-05-06 07:57:31,657 DEBUG [org.ldaptive.provider.jndi.NamingExceptionUtils] - 

2020-05-06 07:57:31,657 DEBUG [org.ldaptive.pool.SearchValidator] - 
org.ldaptive.LdapException: javax.naming.NamingException: LDAP response read 
timed out, timeout used:-1ms.; remaining name ''
   at 
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
 ~[ldaptive-1.2.0.jar:?]
   ...

So judging by the DEBUG timestamps, only 4 ms elapses between the start of the 
AuthN attempt and the SearchValidator timeout failure. Should I try to 
corroborate this vis LDAP logs?



There is or was open bugs related to this:
https://bugs.openjdk.java.net/browse/JDK-8057017
I wonder if there is a regression in later versions of Java 8.


I did find, as noted in another branch of this thread, this bugfix in v231, 
which coincidentally(?) is the version where we begin to see this problem. It's 
the only reference I found in the JDK v221+ release notes to javax.naming or 
LDAP related bugs.



We're still wrestling with this, but have uncovered a few more details in case 
it provides any new insight into the problem.

1) Our LDAP is actually a cluster behind an F5 load balancer. If we point CAS 
at non-load balanced LDAP host, we do not see the timeout problem. It appears 
that both JDK 8u231+ *and* LDAP behind the load balancer are necessary 
conditions to trigger the timeour error.

2) We've empirically determined that if we shorten the default value for the 
LDAP pool validation from 600s to, say, 60s 
(cas.authn.ldap[0].validatePeriod=60) then this also mitigates the timeout 
problem. The shortened pool validation period seems to be sufficient to 
function as some sort of keepalive.

3) In an attempt to simplify our troubleshooting, we also set minPoolSize = 
maxPoolSize = 1. However, there are several things from the logs I don't 
understand. Despite the poolSize being set to 1, CAS appears to attempt to 
periodically validate 3 connections, all of which routinely fail. Ex.:

2020-05-13 06:00:59,008 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:00:59,087 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:00:59,191 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:01:59,008 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:01:59,087 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:01:59,192 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:02:59,008 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:02:59,087 WARN [org.ldaptive.pool.BlockingConnectionPool] - 

2020-05-13 06:02:59,191 WARN [org.ldaptive.pool.BlockingConnectionPool] - 


For each of these, there is a corresponding

2020-05-13 06:00:59,008 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - 
= 1 for 
[org.ldaptive.pool.BlockingConnectionPool@[...]
...
2020-05-13 06:00:59,059 DEBUG [org.ldaptive.BindOperation] - 
2020-05-13 06:00:59,062 DEBUG [org.ldaptive.pool.BlockingConnectionPool] - 

As can be seen from the previous set of logs,

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-07 Thread Daniel Fisher

On Wed, May 6, 2020 at 2:41 PM Baron Fujimoto  wrote:

> So judging by the DEBUG timestamps, only 4 ms elapses between the start of
> the AuthN attempt and the SearchValidator timeout failure. Should I try to
> corroborate this vis LDAP logs?
>

Couldn't hurt, but I wonder if there is some other difference between
the JVMs. Something that would make TCP timeouts much shorter.

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwRYpVGSuMQb3rFnk3K2zfbaMjfA2H4cWL_8mSGvq9kPWQ%40mail.gmail.com.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Baron Fujimoto

On Wed, May 06, 2020 at 02:15:39PM -0400, Daniel Fisher wrote:

On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto  wrote:

On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote:
>On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto  wrote:
>
>> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
>> authentication and attributes. We were previously using Java 1.0.8_212
>> successfully. However, I recently upgraded the instance to use the
current
>> version of Java (251), and after doing so noticed that the LDAP
connections
>> quickly begin to time out with the following error:
>>
>> javax.naming.NamingException: LDAP response read timed out, timeout
>> used:-1ms
>
>Do you have a responseTimeout duration configured?

Not in our cas.properties, nor do I see a *responseTimeout in any of the
properties in the CAS 5.0.x cas.properties refererence here:

<
https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html
>

For the JNDI, I only find

com.sun.jndi.ldap.connect.timeout
com.sun.jndi.ldap.read.timeout
sun.jndi.ldap.connect.pool.timeout

>
https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html
>

Can you elaborate on this responseTimeout?

Looks like this property isn't available in CAS until v5.1.0.

Can you tell how long these operations are waiting? With that value set to
-1 it should default to the system TCP timeout.

I'm not sure what the best way to determine that time period? From our CAS 
debug logs, I see:

2020-05-06 07:57:31,653 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2020-05-06 07:57:31,653 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2020-05-06 07:57:31,653 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - 

2020-05-06 07:57:31,654 DEBUG [org.ldaptive.SearchOperation] - 
2020-05-06 07:57:31,657 DEBUG [org.ldaptive.provider.jndi.NamingExceptionUtils] - 

2020-05-06 07:57:31,657 DEBUG [org.ldaptive.pool.SearchValidator] - 
org.ldaptive.LdapException: javax.naming.NamingException: LDAP response read 
timed out, timeout used:-1ms.; remaining name ''
at 
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:55)
 ~[ldaptive-1.2.0.jar:?]
...

So judging by the DEBUG timestamps, only 4 ms elapses between the start of the 
AuthN attempt and the SearchValidator timeout failure. Should I try to 
corroborate this vis LDAP logs?

There is or was open bugs related to this:
https://bugs.openjdk.java.net/browse/JDK-8057017
I wonder if there is a regression in later versions of Java 8.

I did find, as noted in another branch of this thread, this bugfix in v231, 
which coincidentally(?) is the version where we begin to see this problem. It's 
the only reference I found in the JDK v221+ release notes to javax.naming or 
LDAP related bugs.

--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200506184051.clarvyysbf6z6m7l%40MacBook-Pro.local.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Baron Fujimoto


On Wed, May 06, 2020 at 03:48:46PM +, Ray Bon wrote:

Baron,

I seem to recall a bug in the JVM with some versions that affected ldap 
connections. It did not affect us so I really did not pay close attention.
If you recently upgraded your java, you might want to look in to this.

Ray


My searches turned up some refernces to LDAP timeout bugs is significantly 
older versions of the JDK, but none for the most recent versions since 221.

I did find this in the bugfix list for 231 though, which coincides the version 
where we first encounter the problem:



On Tue, 2020-05-05 at 17:14 -1000, Baron Fujimoto wrote:

Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.



We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for 
authentication and attributes. We were previously using Java 1.0.8_212 
successfully. However, I recently upgraded the instance to use the current 
version of Java (251), and after doing so noticed that the LDAP connections 
quickly begin to time out with the following error:


javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms


From the CAS login perspective, the user authentications fail.


I've empirically determined that this appears to happen with a version of Java 
8 higher than 221 (i.e. 231, 241, 251). I dodn't see anything in the JDK 
release notes for 231 that appear to be relevant.

<



https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html






I've also tried explicitly setting


"-Dcom.sun.jndi.ldap.read.timeout=-1" and 
"-Dcom.sun.jndi.ldap.read.timeout=180"


java opts when I start the CAS processes with no apparent effect.


FWIW, the Tomcat version doesn't seem to matter, and I'm also seeing similar 
behavior when I attempt the same upgrade in our Grouper deployment.


Any suggestions or ideas would be appreciated.

--

UH Information Technology Services : Identity & Access Mgmt, Middleware

minutas cantorum, minutas balorum, minutas carboratum desendus pantorum


--

- Website:



https://apereo.github.io/cas


- Gitter Chatroom:



https://gitter.im/apereo/cas


- List Guidelines:



https://goo.gl/1VRrw7


- Contributions:



https://goo.gl/mh7qDG


---

You received this message because you are subscribed to the Google Groups "CAS 
Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to



cas-user+unsubscr...@apereo.org

.

To view this discussion on the web visit



https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200506031443.t5hatfmi6jayjbgm%40MacBook-Pro.local

.

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/947c96e874882cb269ab990bb2e750a4cd6c5353.camel%40uvic.ca.


--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200506182332.gcimem4xarcebmvx%40MacBook-Pro.local.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Daniel Fisher

On Wed, May 6, 2020 at 1:40 PM Baron Fujimoto  wrote:

> On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote:
> >On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto  wrote:
> >
> >> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
> >> authentication and attributes. We were previously using Java 1.0.8_212
> >> successfully. However, I recently upgraded the instance to use the
> current
> >> version of Java (251), and after doing so noticed that the LDAP
> connections
> >> quickly begin to time out with the following error:
> >>
> >> javax.naming.NamingException: LDAP response read timed out, timeout
> >> used:-1ms
> >
> >Do you have a responseTimeout duration configured?
>
> Not in our cas.properties, nor do I see a *responseTimeout in any of the
> properties in the CAS 5.0.x cas.properties refererence here:
>
> <
> https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html
> >
>
> For the JNDI, I only find
>
> com.sun.jndi.ldap.connect.timeout
> com.sun.jndi.ldap.read.timeout
> sun.jndi.ldap.connect.pool.timeout
>
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html
> >
>
> Can you elaborate on this responseTimeout?
>

Looks like this property isn't available in CAS until v5.1.0.

Can you tell how long these operations are waiting? With that value set to
-1 it should default to the system TCP timeout.

There is or was open bugs related to this:
https://bugs.openjdk.java.net/browse/JDK-8057017
I wonder if there is a regression in later versions of Java 8.

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwS6UNAEjKsGtr9rnhPjJPnFxTVgZKf%3DENqEEN8FN2KO5w%40mail.gmail.com.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Baron Fujimoto


On Tue, May 05, 2020 at 11:42:01PM -0400, Daniel Fisher wrote:

On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto  wrote:


We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
authentication and attributes. We were previously using Java 1.0.8_212
successfully. However, I recently upgraded the instance to use the current
version of Java (251), and after doing so noticed that the LDAP connections
quickly begin to time out with the following error:

javax.naming.NamingException: LDAP response read timed out, timeout
used:-1ms


Do you have a responseTimeout duration configured?


Not in our cas.properties, nor do I see a *responseTimeout in any of the properties in the CAS 5.0.x cas.properties refererence here: 




For the JNDI, I only find

com.sun.jndi.ldap.connect.timeout
com.sun.jndi.ldap.read.timeout
sun.jndi.ldap.connect.pool.timeout


https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html>


Can you elaborate on this responseTimeout?

--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200506174013.kpgqoxeagnlcxhju%40MacBook-Pro.local.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Daniel Fisher

That JNDI bug affects Java versions 9-13. And doesn't affect CAS unless
you've specifically enabled the JndiProvider. I believe the UnboundID
provider is enabled by default.

--Daniel Fisher

On Wed, May 6, 2020 at 11:48 AM Ray Bon  wrote:

> Baron,
>
> I seem to recall a bug in the JVM with some versions that affected ldap
> connections. It did not affect us so I really did not pay close attention.
> If you recently upgraded your java, you might want to look in to this.
>
> Ray
>
> On Tue, 2020-05-05 at 17:14 -1000, Baron Fujimoto wrote:
>
> Notice: This message was sent from outside the University of Victoria email 
> system. Please be cautious with links and sensitive information.
>
>
>
> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for 
> authentication and attributes. We were previously using Java 1.0.8_212 
> successfully. However, I recently upgraded the instance to use the current 
> version of Java (251), and after doing so noticed that the LDAP connections 
> quickly begin to time out with the following error:
>
>
> javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms
>
>
>  From the CAS login perspective, the user authentications fail.
>
>
> I've empirically determined that this appears to happen with a version of 
> Java 8 higher than 221 (i.e. 231, 241, 251). I dodn't see anything in the JDK 
> release notes for 231 that appear to be relevant.
>
> <
>
> https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html
>
> >
>
>
> I've also tried explicitly setting
>
>
> "-Dcom.sun.jndi.ldap.read.timeout=-1" and 
> "-Dcom.sun.jndi.ldap.read.timeout=180"
>
>
> java opts when I start the CAS processes with no apparent effect.
>
>
> FWIW, the Tomcat version doesn't seem to matter, and I'm also seeing similar 
> behavior when I attempt the same upgrade in our Grouper deployment.
>
>
> Any suggestions or ideas would be appreciated.
>
> --
>
> UH Information Technology Services : Identity & Access Mgmt, Middleware
>
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
>
> --
>
> - Website:
>
> https://apereo.github.io/cas
>
>
> - Gitter Chatroom:
>
> https://gitter.im/apereo/cas
>
>
> - List Guidelines:
>
> https://goo.gl/1VRrw7
>
>
> - Contributions:
>
> https://goo.gl/mh7qDG
>
>
> ---
>
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to
>
> cas-user+unsubscr...@apereo.org
>
> .
>
> To view this discussion on the web visit
>
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200506031443.t5hatfmi6jayjbgm%40MacBook-Pro.local
>
> .
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/947c96e874882cb269ab990bb2e750a4cd6c5353.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwSunJqCh_ViV3BkVgyjBnrpOxoKUTtkSEcb%2BeKNPMma5Q%40mail.gmail.com.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-06 Thread Ray Bon

Baron,

I seem to recall a bug in the JVM with some versions that affected ldap 
connections. It did not affect us so I really did not pay close attention.
If you recently upgraded your java, you might want to look in to this.

Ray

On Tue, 2020-05-05 at 17:14 -1000, Baron Fujimoto wrote:

Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.



We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for 
authentication and attributes. We were previously using Java 1.0.8_212 
successfully. However, I recently upgraded the instance to use the current 
version of Java (251), and after doing so noticed that the LDAP connections 
quickly begin to time out with the following error:


javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms


 From the CAS login perspective, the user authentications fail.


I've empirically determined that this appears to happen with a version of Java 
8 higher than 221 (i.e. 231, 241, 251). I dodn't see anything in the JDK 
release notes for 231 that appear to be relevant.

<



https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html

>


I've also tried explicitly setting


"-Dcom.sun.jndi.ldap.read.timeout=-1" and 
"-Dcom.sun.jndi.ldap.read.timeout=180"


java opts when I start the CAS processes with no apparent effect.


FWIW, the Tomcat version doesn't seem to matter, and I'm also seeing similar 
behavior when I attempt the same upgrade in our Grouper deployment.


Any suggestions or ideas would be appreciated.

--

UH Information Technology Services : Identity & Access Mgmt, Middleware

minutas cantorum, minutas balorum, minutas carboratum desendus pantorum


--

- Website:



https://apereo.github.io/cas


- Gitter Chatroom:



https://gitter.im/apereo/cas


- List Guidelines:



https://goo.gl/1VRrw7


- Contributions:



https://goo.gl/mh7qDG


---

You received this message because you are subscribed to the Google Groups "CAS 
Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to



cas-user+unsubscr...@apereo.org

.

To view this discussion on the web visit



https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200506031443.t5hatfmi6jayjbgm%40MacBook-Pro.local

.

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/947c96e874882cb269ab990bb2e750a4cd6c5353.camel%40uvic.ca.

Re: [cas-user] LDAP timeouts after Java upgrade

2020-05-05 Thread Daniel Fisher

On Tue, May 5, 2020 at 11:15 PM Baron Fujimoto  wrote:

> We're running CAS 5.0.10 under Tomcat 8.5.54 with LDAP (389DS) for
> authentication and attributes. We were previously using Java 1.0.8_212
> successfully. However, I recently upgraded the instance to use the current
> version of Java (251), and after doing so noticed that the LDAP connections
> quickly begin to time out with the following error:
>
> javax.naming.NamingException: LDAP response read timed out, timeout
> used:-1ms
>

Do you have a responseTimeout duration configured?

--Daniel Fisher

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwQFeXtngF_kMGSMWuTkWedBRef%2B0_-wkp_B_BHu0jqq%3DQ%40mail.gmail.com.

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

Re: [cas-user] LDAP timeouts after Java upgrade

10 matches

Site Navigation

Mail list logo

Footer information