Issue Summary

Bitbucket can wait indefinitely for the authentication response via RiotPolice.authenticate() from LDAP, causing all other threads to wait before the first thread has finished the authentication.
The first thread that authenticates for a specific user does the actual authentication, and subsequent threads that also need to authenticate for the same user need to wait until the first thread has finished authenticating. Once that happens, the subsequent threads can simply reuse the results from the first thread. This strategy is put in place to help reduce the load on the Crowd.

In the case of Bitbucket, the external CI user can consume the cache very fast.

Steps to Reproduce

1. Connect Bitbucket to LDAP and install CI integration.
2. Create a network interference or make LDAP response delayed for a long time.
3. Initiate intensive CI operation which requires authentication

Expected Results

The thread which fails to authenticate throws an error, and another authentication attempt is made.

Actual Results

The original thread is stuck on LdapRequest.getReplyBer(), and all others are waiting for this to finish authentication indefinitely. Since no HTTP threads are available, users cannot make a new connection.

Workaround

Set the timeouts for crowd-embedded manually via the database:

INSERT INTO public.cwd_directory_attribute (directory_id, attribute_name, attribute_value) VALUES (<directory_id>, 'ldap.connection.timeout', '10000');

INSERT INTO public.cwd_directory_attribute (directory_id, attribute_name, attribute_value) VALUES (<directory_id>, 'ldap.search.timelimit', '60000');

INSERT INTO public.cwd_directory_attribute (directory_id, attribute_name, attribute_value) VALUES (<directory_id>, 'ldap.read.timeout', '120000');