Manfred Baedke created OAK-8890:
-----------------------------------
Summary: LDAP login may fail if a server or intermediate silently
drops connections
Key: OAK-8890
URL: https://issues.apache.org/jira/browse/OAK-8890
Project: Jackrabbit Oak
Issue Type: Bug
Components: auth-ldap
Reporter: Manfred Baedke
Assignee: Manfred Baedke
This has been seen on production systems with Oak 1.10.2, where a firewall was
configured to drop idle connections after a timeout without sending an RST (for
security reasons). When this happens, the connection pool used by the
LdapPrincipalProvider will still consider these connections healthy. Eventually
such a connection will be used for an actual LDAP BIND/SEARCH, which will
simply timeout.
The connection pool is an instance of
org.apache.commons.pool.impl.GenericObjectPool, which has configuration options
to deal with the scenario (namely running an eviction task which will properly
close idle connections after a timeout which is shorter than the timeout
interval used by the firewall) .
The creation of the connection pool used is hard coded and most of the
configuration options are not available.
I propose to change that. I'll supply a patch soon.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
