Hi All,
I have encountered an issue with the LDAP authentication module in Apache
ActiveMQ Artemis. It appears that in some cases the connectionTimeout value
is being used instead of the configured readTimeout.
Configuration of the LDAPLogin module:
connectionTimeout = 500 ms - for faster failover to the next LDAP server.
readTimeout = 5000 ms - as the LDAP server should not take longer to
respond.
With a connectionURL containing three LDAP servers, everything worked as
expected. After switching to a single LDAP server (which is actually a load
balancer for all LDAP servers), I started seeing the following error
messages in the logs, occurring approximately 1-7 times per hour:
AMQ224084 Failed to open context
javax.naming.NamingException: LDAP response read timed out, timeout used:
500 ms.
The issue only started after switching from multiple LDAP servers to a
single load-balanced LDAP endpoint.
I have recorded and examined tcpdump. It looks like the broker breaks the
connection with the LDAP server when it was connected and did not receive a
reply after 500 ms.
After setting both timeouts to 5000 ms it seems to work fine.
Has anyone experienced a similar situation where the connectionTimeout is
applied instead of the readTimeout in the LDAP authentication module?
Environment: ActiveMQ Artemis version 2.39.0, OpenJDK version 17.0.15, OS
AlmaLinux 9.
LDAP is Microsoft Active Directory.
Any suggestions or insights would be greatly appreciated.
Full stack trace:
javax.naming.NamingException: LDAP response read timed out, timeout used:
500 ms.
at
java.naming/com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:129)
~[?:?]
at
java.naming/com.sun.jndi.ldap.Connection.readReply(Connection.java:447)
~[?:?]
at
java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365)
~[?:?]
at
java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
~[?:?]
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2896)
~[?:?]
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) ~[?:?]
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
~[?:?]
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
~[?:?]
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
~[?:?]
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
~[?:?]
at
java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
~[?:?]
at
java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732)
~[?:?]
at
java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
~[?:?]
at
java.naming/javax.naming.InitialContext.init(InitialContext.java:236) ~[?:?]
at
java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
~[?:?]
at
java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:130)
~[?:?]
at
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.lambda$openContext$3(LDAPLoginModule.java:711)
~[artemis-server-2.39.0.jar:2.39.0]
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
~[?:?]
at java.base/javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?]
at
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.openContext(LDAPLoginModule.java:711)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.resolveDN(LDAPLoginModule.java:345)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.authenticate(LDAPLoginModule.java:313)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(LDAPLoginModule.java:217)
~[artemis-server-2.39.0.jar:2.39.0]
at
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
~[?:?]
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
~[?:?]
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
~[?:?]
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
~[?:?]
at
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
~[?:?]
at
java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
~[?:?]
at
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:151)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.authenticate(ActiveMQJAASSecurityManager.java:97)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:221)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.validateUser(ActiveMQServerImpl.java:1803)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:183)
~[artemis-server-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.internalHandler(ActiveMQPacketHandler.java:106)
~[artemis-server-2.39.0.jar:2.39.0]
at org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:32)
~[artemis-commons-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
~[artemis-commons-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:57)
~[artemis-commons-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:32)
~[artemis-commons-2.39.0.jar:2.39.0]
at
org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68)
~[artemis-commons-2.39.0.jar:2.39.0]
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
[?:?]
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[?:?]
at
org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
[artemis-commons-2.39.0.jar:2.39.0]
--
Regards,
Alexander
