Bug 1015303 - LDAP security realm needs to have configurable timeouts
LDAP security realm needs to have configurable timeouts
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management (Show other bugs)
6.1.1
Unspecified Unspecified
unspecified Severity unspecified
: DR6
: EAP 6.3.0
Assigned To: Darran Lofthouse
Josef Cacek
Russell Dickenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-03 17:08 EDT by Derek Horton
Modified: 2015-04-02 05:39 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
This release of JBoss EAP 6 contains an enhancement that allows the use of custom properties on outbound LDAP connections. In previous versions of the product, outbound LDAP connections were created with a limited set of properties leaving the remaining to the default behavior. As a result it was not possible for custom properties to be defined to control aspects such as connection and read timeouts. In this release, custom properties can now be defined for the outbound LDAP connections with code similar to the following: ---- <ldap name="LocalLdap" url="ldap://localhost:10389" search-dn="uid=wildfly,dc=simple,dc=wildfly,dc=org" search-credential="password1!"> <properties> <property name="one" value="two"/> <property name="three" value="four"/> </properties> </ldap> ----
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-28 11:44:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker PRODMGT-553 Major Closed LDAP security realm needs to have configurable timeouts 2017-08-10 05:12 EDT
JBoss Issue Tracker WFLY-2214 Major Resolved Allow additional environment properties to be set for outbound LDAP connections used by security realms. 2017-08-10 05:12 EDT

  None (edit)
Description Derek Horton 2013-10-03 17:08:10 EDT
Description of problem:

LDAP security realm needs to have configurable timeouts.

The default LDAP connection timeout appears to be 2 minutes. If the ldap server is down, it could take 2 minutes for the connection to timeout. This can cause unneeded delay if you have configured multiple ldap servers for failover / redundancy.

The following hack appears to work:
+++ domain-management/src/main/java/org/jboss/as/domain/management/connections/ldap/LdapConnectionManagerService.java
@@ -132,6 +132,7 @@ public class LdapConnectionManagerService implements Service<LdapConnectionManag
result.put(Context.INITIAL_CONTEXT_FACTORY,initialContextFactory);
String url = config.require(URL).asString();
result.put(Context.PROVIDER_URL,url);
+ result.put("com.sun.jndi.ldap.connect.timeout", "500");
return result;
}
Comment 1 JBoss JIRA Server 2013-10-04 05:42:39 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2214

This actually raises an interesting point to also consider - if we can detect that the first server was not used maybe for a short period of time we should re-order the server list to give a higher priority to the server we know does exist.

As authentication also establishes a connection to the server to verify the password it would be beneficial to lower the priority of the missing server.
Comment 4 JBoss JIRA Server 2013-10-29 07:16:45 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-2214 to Coding In Progress
Comment 5 JBoss JIRA Server 2013-10-29 09:33:08 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira WFLY-2214

Just changed the title to this one, going to add support for some additional environment properties to be set for the LDAP connection, things like timeouts are moving into an area that non-standard properties are now set - also there are additional non-standard properties would could potentially support so adding some generic support for properties will allow for those as well.
Comment 13 Darran Lofthouse 2013-11-27 07:05:29 EST
This is already merged upstream.
Comment 19 Ondrej Lukas 2014-03-31 04:53:35 EDT
Verified on EAP 6.3.0.DR6.
Comment 20 sgilda 2014-05-12 15:24:06 EDT
Remove <programlisting> tags, change '<' to '&lt;' and '>' to '&gt;' to fix  Bug 1096865

Note You need to log in before you can comment on or make changes to this bug.