Details
-
Bug
-
Resolution: Fixed
-
Medium
-
2.5.3
-
None
-
Linux x86_64 (Centos 6), Java 1.7 (Sun JRE7u10), 389 Directory Server (LDAP server)
Description
Over time, Crowd establishes a large number of connections to our LDAP server (389 Directory Server), eventually causing a denial of service that breaks everything else that is LDAP connected until we restart either the LDAP server or Crowd. I have seen it at times using in the neighborhood of 800 connections before.
I don't know if crowd is leaking the connections (no longer actively using them) or if for some reason they're actively being used (I don't know why so many would be necessary).
Sometimes the problem appears to resolve itself before we restart something, perhaps once the LDAP server stops responding the connections eventually time out?
We have had to restart one or the other (now that we have realized Crowd is at fault, we restart crowd, and even have a cron script to watch for this problem and do so automatically now) once or twice a week.
At the moment we have crowd providing LDAP-based authentication services to JIRA and Stash, but many other services depend directly on LDAP. Kerberos is stored in and replicated through LDAP, SSSD uses Kerberos and LDAP, sudo retrieves rules from LDAP, and many web applications such as our knowledge base system are tied to LDAP. When LDAP becomes unusable, it seriously impacts us. Some of our systems can fail over to other LDAP replicas but most don't have that functionality unfortunately.
