Manfred Baedke created OAK-8890: ----------------------------------- Summary: LDAP login may fail if a server or intermediate silently drops connections Key: OAK-8890 URL: https://issues.apache.org/jira/browse/OAK-8890 Project: Jackrabbit Oak Issue Type: Bug Components: auth-ldap Reporter: Manfred Baedke Assignee: Manfred Baedke
This has been seen on production systems with Oak 1.10.2, where a firewall was configured to drop idle connections after a timeout without sending an RST (for security reasons). When this happens, the connection pool used by the LdapPrincipalProvider will still consider these connections healthy. Eventually such a connection will be used for an actual LDAP BIND/SEARCH, which will simply timeout. The connection pool is an instance of org.apache.commons.pool.impl.GenericObjectPool, which has configuration options to deal with the scenario (namely running an eviction task which will properly close idle connections after a timeout which is shorter than the timeout interval used by the firewall) . The creation of the connection pool used is hard coded and most of the configuration options are not available. I propose to change that. I'll supply a patch soon. -- This message was sent by Atlassian Jira (v8.3.4#803005)