> Has anyone experienced a similar situation where the connectionTimeout is applied instead of the readTimeout in the LDAP authentication module?
I've not seen this before, but I'm not a heavy user of the LDAPLoginModule. For what it's worth, I can't recall any similar reports from other users. It's worth noting that the LDAPLoginModule delegates LDAP connectivity to the underlying JVM, specifically com.sun.jndi.ldap.LdapCtxFactory. You can see here [1] that the LDAPLoginModule sets the corresponding properties to the appropriate values [2]. Therefore, if there is something getting mixed up I think it's likely not happening in broker code. That said, looking through the OpenJDK code for 17.0.15 [3] I don't see any obvious problems. Justin [1] https://github.com/apache/activemq-artemis/blob/5729a7264b3296187bf844663fbec8bd1856c11b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java#L662 [2] https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html#PROP [3] https://github.com/openjdk/jdk/tree/jdk-17%2B15 On Tue, Sep 16, 2025 at 10:50 AM Alexander Milovidov <[email protected]> wrote: > Hi All, > > I have encountered an issue with the LDAP authentication module in Apache > ActiveMQ Artemis. It appears that in some cases the connectionTimeout value > is being used instead of the configured readTimeout. > > Configuration of the LDAPLogin module: > connectionTimeout = 500 ms - for faster failover to the next LDAP server. > readTimeout = 5000 ms - as the LDAP server should not take longer to > respond. > > With a connectionURL containing three LDAP servers, everything worked as > expected. After switching to a single LDAP server (which is actually a load > balancer for all LDAP servers), I started seeing the following error > messages in the logs, occurring approximately 1-7 times per hour: > AMQ224084 Failed to open context > javax.naming.NamingException: LDAP response read timed out, timeout used: > 500 ms. > > The issue only started after switching from multiple LDAP servers to a > single load-balanced LDAP endpoint. > I have recorded and examined tcpdump. It looks like the broker breaks the > connection with the LDAP server when it was connected and did not receive a > reply after 500 ms. > After setting both timeouts to 5000 ms it seems to work fine. > > Has anyone experienced a similar situation where the connectionTimeout is > applied instead of the readTimeout in the LDAP authentication module? > > Environment: ActiveMQ Artemis version 2.39.0, OpenJDK version 17.0.15, OS > AlmaLinux 9. > LDAP is Microsoft Active Directory. > > Any suggestions or insights would be greatly appreciated. > > Full stack trace: > javax.naming.NamingException: LDAP response read timed out, timeout used: > 500 ms. > at > java.naming/com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:129) > ~[?:?] > at > java.naming/com.sun.jndi.ldap.Connection.readReply(Connection.java:447) > ~[?:?] > at > java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365) > ~[?:?] > at > java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ~[?:?] > at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2896) > ~[?:?] > at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) > ~[?:?] > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229) > ~[?:?] > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) > ~[?:?] > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247) > ~[?:?] > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > ~[?:?] > at > > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > ~[?:?] > at > > java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732) > ~[?:?] > at > > java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > ~[?:?] > at > java.naming/javax.naming.InitialContext.init(InitialContext.java:236) > ~[?:?] > at > java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208) > ~[?:?] > at > > java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:130) > ~[?:?] > at > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.lambda$openContext$3(LDAPLoginModule.java:711) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > ~[?:?] > at java.base/javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?] > at > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.openContext(LDAPLoginModule.java:711) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.resolveDN(LDAPLoginModule.java:345) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.authenticate(LDAPLoginModule.java:313) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(LDAPLoginModule.java:217) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) > ~[?:?] > at > > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679) > ~[?:?] > at > > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677) > ~[?:?] > at > > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > ~[?:?] > at > > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677) > ~[?:?] > at > > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587) > ~[?:?] > at > > org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:151) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.authenticate(ActiveMQJAASSecurityManager.java:97) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:221) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.validateUser(ActiveMQServerImpl.java:1803) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:183) > ~[artemis-server-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.internalHandler(ActiveMQPacketHandler.java:106) > ~[artemis-server-2.39.0.jar:2.39.0] > at org.apache.activemq.artemis.utils.actors.Actor.doTask(Actor.java:32) > ~[artemis-commons-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68) > ~[artemis-commons-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:57) > ~[artemis-commons-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.utils.actors.OrderedExecutor.doTask(OrderedExecutor.java:32) > ~[artemis-commons-2.39.0.jar:2.39.0] > at > > org.apache.activemq.artemis.utils.actors.ProcessorBase.executePendingTasks(ProcessorBase.java:68) > ~[artemis-commons-2.39.0.jar:2.39.0] > at > > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) > [?:?] > at > > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) > [?:?] > at > > org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) > [artemis-commons-2.39.0.jar:2.39.0] > > > -- > Regards, > Alexander >
