Bug 1015303 - LDAP security realm needs to have configurable timeouts
Summary: LDAP security realm needs to have configurable timeouts
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: DR6
: EAP 6.3.0
Assignee: Darran Lofthouse
QA Contact: Josef Cacek
Russell Dickenson
Depends On:
TreeView+ depends on / blocked
Reported: 2013-10-03 21:08 UTC by Derek Horton
Modified: 2019-07-11 07:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
This release of JBoss EAP 6 contains an enhancement that allows the use of custom properties on outbound LDAP connections. In previous versions of the product, outbound LDAP connections were created with a limited set of properties leaving the remaining to the default behavior. As a result it was not possible for custom properties to be defined to control aspects such as connection and read timeouts. In this release, custom properties can now be defined for the outbound LDAP connections with code similar to the following: ---- <ldap name="LocalLdap" url="ldap://localhost:10389" search-dn="uid=wildfly,dc=simple,dc=wildfly,dc=org" search-credential="password1!"> <properties> <property name="one" value="two"/> <property name="three" value="four"/> </properties> </ldap> ----
Clone Of:
Last Closed: 2014-06-28 15:44:45 UTC
Type: Bug

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat One Jira Issue Tracker PRODMGT-553 Major Closed LDAP security realm needs to have configurable timeouts 2017-08-10 09:12:27 UTC
Red Hat One Jira Issue Tracker WFLY-2214 Major Resolved Allow additional environment properties to be set for outbound LDAP connections used by security realms. 2017-08-10 09:12:26 UTC

Description Derek Horton 2013-10-03 21:08:10 UTC
Description of problem:

LDAP security realm needs to have configurable timeouts.

The default LDAP connection timeout appears to be 2 minutes. If the ldap server is down, it could take 2 minutes for the connection to timeout. This can cause unneeded delay if you have configured multiple ldap servers for failover / redundancy.

The following hack appears to work:
+++ domain-management/src/main/java/org/jboss/as/domain/management/connections/ldap/LdapConnectionManagerService.java
@@ -132,6 +132,7 @@ public class LdapConnectionManagerService implements Service<LdapConnectionManag
String url = config.require(URL).asString();
+ result.put("com.sun.jndi.ldap.connect.timeout", "500");
return result;

Comment 1 JBoss JIRA Server 2013-10-04 09:42:39 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2214

This actually raises an interesting point to also consider - if we can detect that the first server was not used maybe for a short period of time we should re-order the server list to give a higher priority to the server we know does exist.

As authentication also establishes a connection to the server to verify the password it would be beneficial to lower the priority of the missing server.

Comment 4 JBoss JIRA Server 2013-10-29 11:16:45 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-2214 to Coding In Progress

Comment 5 JBoss JIRA Server 2013-10-29 13:33:08 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2214

Just changed the title to this one, going to add support for some additional environment properties to be set for the LDAP connection, things like timeouts are moving into an area that non-standard properties are now set - also there are additional non-standard properties would could potentially support so adding some generic support for properties will allow for those as well.

Comment 13 Darran Lofthouse 2013-11-27 12:05:29 UTC
This is already merged upstream.

Comment 19 Ondrej Lukas 2014-03-31 08:53:35 UTC
Verified on EAP 6.3.0.DR6.

Comment 20 sgilda 2014-05-12 19:24:06 UTC
Remove <programlisting> tags, change '<' to '&lt;' and '>' to '&gt;' to fix  Bug 1096865

Note You need to log in before you can comment on or make changes to this bug.