• Icon: Suggestion Suggestion
    • Resolution: Fixed
    • 2.8.2
    • Performance
    • None
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      LDAP connections over SSL are not pooled, meaning each operation acquires a new TCP connection as well as negotiating SSL. This significantly increases the time taken for operations like synchronisation.

      For a default Crowd with no pooling configuration changes, synchronisation is single threaded, so only a single connection is made. (In testing, two connections; it's not clear if that's due to multiple threads or a single connection only being reused so many times.)

      In terms of impact, a synchronisation with OpenLDAP that took 1m45 without SSL took as much as 8m15 when SSL was enabled.

      Fixing this may require CWD-2790.

            [CWD-4070] Pool SSL LDAP connections

            It seems that pooling still doesnt work weel even with 2.8.2 and even without SSL. Take a look at https://support.atlassian.com/servicedesk/customer/portal/16/CWDSUP-10724 (Atlassian only)

            Sorin Sbarnea (Citrix) added a comment - It seems that pooling still doesnt work weel even with 2.8.2 and even without SSL. Take a look at https://support.atlassian.com/servicedesk/customer/portal/16/CWDSUP-10724 (Atlassian only)

            joe added a comment -

            A useful Wireshark filter for testing this is:

            tcp.flags.syn==1 && tcp.flags.ack==0
            

            to show only connection attempts. If this is working, it will show only the original connection, which will then be reused for subsequent LDAP operations.

            joe added a comment - A useful Wireshark filter for testing this is: tcp.flags.syn==1 && tcp.flags.ack==0 to show only connection attempts. If this is working, it will show only the original connection, which will then be reused for subsequent LDAP operations.

            joe added a comment -

            SetLdapConnectionSettingsListener sets the system properties too late to take effect.

            This fix will add the system property to the Tomcat distribution. CWD-4159 is a follow-on issue to remove the redundant UI, or fix it to work.

            joe added a comment - SetLdapConnectionSettingsListener sets the system properties too late to take effect. This fix will add the system property to the Tomcat distribution. CWD-4159 is a follow-on issue to remove the redundant UI, or fix it to work.

            joe added a comment -

            In a standalone test, the necessary steps to get pooling were:

            System.setProperty("com.sun.jndi.ldap.connect.pool.protocol", "plain ssl");
            
            env.put("com.sun.jndi.ldap.connect.pool", "true");
            env.put("java.naming.ldap.factory.socket", "ssl.LdapHostnameVerificationSSLSocketFactory");
            

            where LdapHostnameVerificationSSLSocketFactory implements Comparator<String>.

            That system property is set in Crowd by SetLdapConnectionSettingsListener; other products may need to ensure they take the same steps.

            joe added a comment - In a standalone test, the necessary steps to get pooling were: System.setProperty("com.sun.jndi.ldap.connect.pool.protocol", "plain ssl"); env.put("com.sun.jndi.ldap.connect.pool", "true"); env.put("java.naming.ldap.factory.socket", "ssl.LdapHostnameVerificationSSLSocketFactory"); where LdapHostnameVerificationSSLSocketFactory implements Comparator<String> . That system property is set in Crowd by SetLdapConnectionSettingsListener ; other products may need to ensure they take the same steps.

            joe added a comment -

            For SSL connections, Crowd uses a custom socket factory due to CWD-2690. http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi-ldap.html#pooling states that custom factories must implement Comparator<SocketFactory> to be pooled. http://stackoverflow.com/questions/23898970/pooling-ldap-connections-with-custom-socket-factory points out that it's actually Comparator<String> that's required.

            joe added a comment - For SSL connections, Crowd uses a custom socket factory due to CWD-2690. http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi-ldap.html#pooling states that custom factories must implement Comparator<SocketFactory> to be pooled. http://stackoverflow.com/questions/23898970/pooling-ldap-connections-with-custom-socket-factory points out that it's actually Comparator<String> that's required.

            This appears to be an issue with Confluence 5.4.4 as well. We're bringing a new openLDAP server online and noticed that testing the directory from Confluence 5.4.4 with SSL takes quite some time. It doesn't appear to be connection pooling for SSL, making a full test of the LDAP server with SSL take more than 60s. Since the default ajp proxy timeout is 60s, this throws a 500 on the Apache webserver side. Increasing the timeout to more than 60s can help. Searching an LDAP directory shouldn't take very long, under ideal circumstances.

            Miles Gentry added a comment - This appears to be an issue with Confluence 5.4.4 as well. We're bringing a new openLDAP server online and noticed that testing the directory from Confluence 5.4.4 with SSL takes quite some time. It doesn't appear to be connection pooling for SSL, making a full test of the LDAP server with SSL take more than 60s. Since the default ajp proxy timeout is 60s, this throws a 500 on the Apache webserver side. Increasing the timeout to more than 60s can help. Searching an LDAP directory shouldn't take very long, under ideal circumstances.

            Dave C added a comment -

            pcap attached

            Dave C added a comment - pcap attached

            joe added a comment -

            The logs certainly show that Spring LDAP doesn't think it's enabling pooling:

            [ldap.core.support.AbstractContextSource] Not using LDAP pooling
            

            It also looks like the socket factory's creating a new socket each time:

            [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created
            

            Are you able to confirm whether that's accurate? That is, using something like Wireshark, can you see whether a separate TCP connection is made each time? I ask because the interaction between system properties, connection properties and Spring LDAP isn't always clear.

            joe added a comment - The logs certainly show that Spring LDAP doesn't think it's enabling pooling: [ldap.core.support.AbstractContextSource] Not using LDAP pooling It also looks like the socket factory's creating a new socket each time: [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created Are you able to confirm whether that's accurate? That is, using something like Wireshark, can you see whether a separate TCP connection is made each time? I ask because the interaction between system properties, connection properties and Spring LDAP isn't always clear.

            Dave C added a comment -

            Hey jwalton, I tried setting the below in JIRA and the pooling does not seem to be applied:

            -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl' -Dcom.sun.jndi.ldap.connect.pool.maxsize=20 -Dcom.sun.jndi.ldap.connect.pool.prefsize=10 -Dcom.sun.jndi.ldap.connect.pool.timeout=300000
            

            As reviewing the below logs:

            2014-10-27 16:57:46,361 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = CN=users,dc=sydney,dc=atlassian,dc=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*))(sAMAccountName=a-user-50k-24996))
            2014-10-27 16:57:47,646 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldap://crowd-ad1.syd.atlassian.com:389'
            2014-10-27 16:57:47,646 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000
            2014-10-27 16:57:48,064 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000
            2014-10-27 16:57:48,064 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*))(sAMAccountName=a-user-50k-24996))
            2014-10-27 16:57:48,064 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created
            2014-10-27 16:57:53,070 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket
            2014-10-27 16:57:55,793 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636'
            2014-10-27 16:57:55,793 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000
            2014-10-27 16:57:56,213 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000
            2014-10-27 16:57:56,214 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Authenticating user 'a-user-50k-24996' with DN 'cn=a-user-50k-24996,ou=childou-a-25000users,ou=loadtesting50k,dc=sydney,dc=atlassian,dc=com'
            2014-10-27 16:57:56,214 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] AuthenticationSource not set - using default implementation
            2014-10-27 16:57:56,214 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Not using LDAP pooling
            2014-10-27 16:57:56,215 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Trying provider Urls: ldaps://crowd-ad1.sydney.atlassian.com:636
            2014-10-27 16:57:56,215 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created
            2014-10-27 16:57:56,215 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket
            2014-10-27 16:57:58,738 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636'
            2014-10-27 16:57:58,757 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*))(sAMAccountName=A-user-50k-24996))
            2014-10-27 16:57:58,758 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created
            2014-10-27 16:57:58,758 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket
            2014-10-27 16:58:01,224 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636'
            2014-10-27 16:58:01,224 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000
            2014-10-27 16:58:01,645 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000
            2014-10-27 16:58:01,650 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.RFC4519Directory] Executing search at DN: <OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com> with filter: <(&(objectCategory=Group)(member=cn=a-user-50k-24996,ou=childou-a-25000users,ou=loadtesting50k,dc=sydney,dc=atlassian,dc=com))>
            2014-10-27 16:58:01,651 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created
            2014-10-27 16:58:01,651 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket
            2014-10-27 16:58:04,149 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636'
            2014-10-27 16:58:04,150 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000
            2014-10-27 16:58:05,039 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000
            2014-10-27 16:58:05,059 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing group search: baseDN = OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com - filter = (&(objectCategory=Group)(cn=jira-users))
            2014-10-27 16:58:05,060 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created
            2014-10-27 16:58:05,061 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket
            2014-10-27 16:58:07,490 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636'
            2014-10-27 16:58:07,490 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000
            2014-10-27 16:58:07,911 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000
            2014-10-27 16:58:11,167 StreamsCompletionService::thread-1 ERROR A-user-50k-24996 1018x362x3 uca3r9 127.0.0.1 /plugins/servlet/streams [atlassian.streams.internal.LocalActivityProvider] Exception building feed
            

            Is this being set correctly, or is there something we're missing here?

            Dave C added a comment - Hey jwalton , I tried setting the below in JIRA and the pooling does not seem to be applied: -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl' -Dcom.sun.jndi.ldap.connect.pool.maxsize=20 -Dcom.sun.jndi.ldap.connect.pool.prefsize=10 -Dcom.sun.jndi.ldap.connect.pool.timeout=300000 As reviewing the below logs: 2014-10-27 16:57:46,361 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = CN=users,dc=sydney,dc=atlassian,dc=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*))(sAMAccountName=a-user-50k-24996)) 2014-10-27 16:57:47,646 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldap://crowd-ad1.syd.atlassian.com:389' 2014-10-27 16:57:47,646 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000 2014-10-27 16:57:48,064 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000 2014-10-27 16:57:48,064 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*))(sAMAccountName=a-user-50k-24996)) 2014-10-27 16:57:48,064 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created 2014-10-27 16:57:53,070 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket 2014-10-27 16:57:55,793 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636' 2014-10-27 16:57:55,793 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000 2014-10-27 16:57:56,213 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000 2014-10-27 16:57:56,214 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Authenticating user 'a-user-50k-24996' with DN 'cn=a-user-50k-24996,ou=childou-a-25000users,ou=loadtesting50k,dc=sydney,dc=atlassian,dc=com' 2014-10-27 16:57:56,214 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] AuthenticationSource not set - using default implementation 2014-10-27 16:57:56,214 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Not using LDAP pooling 2014-10-27 16:57:56,215 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Trying provider Urls: ldaps://crowd-ad1.sydney.atlassian.com:636 2014-10-27 16:57:56,215 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created 2014-10-27 16:57:56,215 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket 2014-10-27 16:57:58,738 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636' 2014-10-27 16:57:58,757 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*))(sAMAccountName=A-user-50k-24996)) 2014-10-27 16:57:58,758 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created 2014-10-27 16:57:58,758 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket 2014-10-27 16:58:01,224 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636' 2014-10-27 16:58:01,224 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000 2014-10-27 16:58:01,645 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000 2014-10-27 16:58:01,650 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.RFC4519Directory] Executing search at DN: <OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com> with filter: <(&(objectCategory=Group)(member=cn=a-user-50k-24996,ou=childou-a-25000users,ou=loadtesting50k,dc=sydney,dc=atlassian,dc=com))> 2014-10-27 16:58:01,651 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created 2014-10-27 16:58:01,651 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket 2014-10-27 16:58:04,149 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636' 2014-10-27 16:58:04,150 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000 2014-10-27 16:58:05,039 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000 2014-10-27 16:58:05,059 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing group search: baseDN = OU=loadTesting50k,dc=sydney,dc=atlassian,dc=com - filter = (&(objectCategory=Group)(cn=jira-users)) 2014-10-27 16:58:05,060 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Name checking SSLSocketFactory created 2014-10-27 16:58:05,061 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory] Creating disconnected socket 2014-10-27 16:58:07,490 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://crowd-ad1.sydney.atlassian.com:636' 2014-10-27 16:58:07,490 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 1000 2014-10-27 16:58:07,911 http-bio-60637-exec-10 DEBUG anonymous 1017x265x1 1whpy5b 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 1000 2014-10-27 16:58:11,167 StreamsCompletionService::thread-1 ERROR A-user-50k-24996 1018x362x3 uca3r9 127.0.0.1 /plugins/servlet/streams [atlassian.streams.internal.LocalActivityProvider] Exception building feed Is this being set correctly, or is there something we're missing here?

            joe added a comment -

            In testing, this appears to work when the com.sun.jndi.ldap.connect.pool.protocol system property is set to plain ssl. Crowd should already be setting that on startup (if it's not taking effect that may be a bug). However, other products may not be setting it at all.

            joe added a comment - In testing, this appears to work when the com.sun.jndi.ldap.connect.pool.protocol system property is set to plain ssl . Crowd should already be setting that on startup (if it's not taking effect that may be a bug). However, other products may not be setting it at all.

              jwalton joe
              jwalton joe
              Votes:
              5 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: