Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5657

Authentication requests from LDAP is not pooled

XMLWordPrintable

    • 7

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Authentication request for LDAP is not pooled and it leads to following error in the logs if there are multiple simultaneous request coming in through scripts or client:

      Symptoms:

      Directory 'localhost.com' is not functional during authentication of 'APIUser'. Skipped.
Error occurred while trying to authenticate user 'APIUser'.
localhost.com:636; nested exception is javax.naming.CommunicationException: localhost.com:636 \[Root exception is java.net.BindException: Address already in use: connect]

      Notice the logging below it explicitly says pooling is disabled:

      Logging with debug enabled below, shows it is writing logs from AbstractContextSource that pooling is not used:
2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [c.a.crowd.directory.SpringLDAPConnector] Authenticating user 'abc' with DN 'cn=service account jira jiraalign,ou=abc,ou=it,ou=main,dc=abc,dc=abc,dc=com'
2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] AuthenticationSource not set - using default implementation
2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] Not using LDAP pooling
2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] Trying provider Urls: ldaps://localhost.com:636

      Expected Behavior:

      Pooling of connection should be used and new connection request should not fail with error above.

      Workaround:

      Switch to other authentication mechanism.

            [CWD-5657] Authentication requests from LDAP is not pooled

            SET Analytics Bot made changes -
            Support reference count New: 7
            Gabriel Ribeiro made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 822114 ]
            Rob made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 524147 ]
            Suddha made changes -
            Labels New: pse_request

            BenjaminW added a comment -

            This causes outages of Jira authentication and other intermittent behaviour when all available ports are used up with connections to LDAP. We can encourage a move to different authentication methods for scripts, but if this is continued then we can't prevent it causing Jira outages. LDAP pooling is specifically designed to prevent this problem so it would be great if this could be effectively supported to contain this risk and prevent outages.

            BenjaminW added a comment - This causes outages of Jira authentication and other intermittent behaviour when all available ports are used up with connections to LDAP. We can encourage a move to different authentication methods for scripts, but if this is continued then we can't prevent it causing Jira outages. LDAP pooling is specifically designed to prevent this problem so it would be great if this could be effectively supported to contain this risk and prevent outages.
            Rob made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 518067 ]
            Vikas Pandey (Inactive) made changes -
            Summary Original: Authentication request from LDAP is not pooled New: Authentication requests from LDAP is not pooled
            Vikas Pandey (Inactive) made changes -
            Description Original: Authentication request for LDAP is not pooled and it leads to following error in the logs if there are multiple simultaneous request coming in through scripts or client:

            h2. Symptoms:

            {code:java}
            Directory 'localhost.com' is not functional during authentication of 'APIUser'. Skipped.
            Error occurred while trying to authenticate user 'APIUser'.
            localhost.com:636; nested exception is javax.naming.CommunicationException: localhost.com:636 \[Root exception is java.net.BindException: Address already in use: connect]
            {code}

            Notice the logging below it explicitly says pooling is disabled:

            {code:java}
            Logging with debug enabled below, shows it is writing logs from AbstractContextSource that pooling is not used:
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [c.a.crowd.directory.SpringLDAPConnector] Authenticating user 'abc' with DN 'cn=service account jira jiraalign,ou=abc,ou=it,ou=main,dc=abc,dc=abc,dc=com'
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] AuthenticationSource not set - using default implementation
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] Not using LDAP pooling
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] Trying provider Urls: ldaps://localhost.com:636
            {code}             		New: Authentication request for LDAP is not pooled and it leads to following error in the logs if there are multiple simultaneous request coming in through scripts or client:

            h2. Symptoms:

            {code:java}
            Directory 'localhost.com' is not functional during authentication of 'APIUser'. Skipped.
            Error occurred while trying to authenticate user 'APIUser'.
            localhost.com:636; nested exception is javax.naming.CommunicationException: localhost.com:636 \[Root exception is java.net.BindException: Address already in use: connect]
            {code}

            Notice the logging below it explicitly says pooling is disabled:

            {code:java}
            Logging with debug enabled below, shows it is writing logs from AbstractContextSource that pooling is not used:
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [c.a.crowd.directory.SpringLDAPConnector] Authenticating user 'abc' with DN 'cn=service account jira jiraalign,ou=abc,ou=it,ou=main,dc=abc,dc=abc,dc=com'
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] AuthenticationSource not set - using default implementation
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] Not using LDAP pooling
            2020-10-29 16:06:56,312+0000 https-jsse-nio-443-exec-22 url:/jira/rest/api/2/search DEBUG anonymous 966x1488320x3 - 3.122.134.153 /rest/api/2/search [o.s.l.core.support.AbstractContextSource] Trying provider Urls: ldaps://localhost.com:636
            {code}

            h2. Expected Behavior:

            Pooling of connection should be used and new connection request should not fail with error above.

            h2. Workaround:

            Switch to other authentication mechanism.
            Vikas Pandey (Inactive) created issue -

              Unassigned Unassigned
              vpandey2@atlassian.com Vikas Pandey (Inactive)
              Votes:
              6 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: