Announcement Announcement Module
Collapse
No announcement yet.
LDAP Connection Leak? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP Connection Leak?

    In our application, we're using Spring Security's built-in LDAP support:

    Code:
    <sec:ldap-server 
        url="${ldap.url}"
        manager-dn="${ldap.managerDn}"
        manager-password="${ldap.managerPassword}"/>
    
    <sec:authentication-manager alias="ldapAuthenticationManager">
      <sec:ldap-authentication-provider
          user-dn-pattern="${ldap.userPattern}"
          group-search-base="${ldap.groupBase}"
          group-search-filter="${ldap.groupFilter}"/>
    </sec:authentication-manager>
    
    <bean id="authenticationManager" class="com.myco.security.CachingAuthenticationManager">
      <constructor-arg ref="ldapAuthenticationManager" />
    </bean>
    The CachingAuthenticationManager was an attempt to limit our round-trips to the LDAP server (since it slows us down):

    Code:
    public class CachingAuthenticationManager implements AuthenticationManager
    {
        private static final Logger LOGGER = LoggerFactory.getLogger(CachingAuthenticationManager.class);
    
        private final AuthenticationManager delegate;
        
        public CachingAuthenticationManager(AuthenticationManager delegate)
        {
            this.delegate = delegate;
        }
    
        @Override
        @Cacheable("authentications")
        public Authentication authenticate(Authentication authentication) throws AuthenticationException
        {
            return delegate.authenticate(authentication);
        }
    }
    Now, when we run with this configuration under load, we are seeing a tremendous amount of threads being created (like 7,000) with their "target" being a com.sun.jndi.ldap.Connection object. Why would there be so many threads running tied to LDAP connections? Are we not closing the connections somehow?

  • #2
    I don't think this has anything to do with caching. The Authentication must be serializable, which means that it can't contain any thread references (unless there are transient, which would be odd).

    I'm curious why you are caching the authentication though. In the normal Spring security filter stack the first filter is responsible for loading the SecurityContext (which contains the Authentication) from the HTTPSession, the actual authentication only occurs once (unless your client trows away the JSessionId cookie that identifies the session).

    Comment


    • #3
      Re: LDAP Connection Leak?

      Originally posted by klausg View Post
      I'm curious why you are caching the authentication though. In the normal Spring security filter stack the first filter is responsible for loading the SecurityContext (which contains the Authentication) from the HTTPSession, the actual authentication only occurs once (unless your client trows away the JSessionId cookie that identifies the session).
      We are caching because the LDAP lookup is a costly operation in our environment (so much for "lightweight"). We are implementing a web service, so we don't have the luxury of the HttpSession to remember who is talking to us. We tell Spring Security to "never" create sessions.

      As it turned out, it wasn't the caching at all. The leak was due to the JRE's LDAP connection pooling not being properly configured. For some reason, the pool was growing out of control (again, over 7000 threads when we only have 250 maxThreads set on Tomcat). Still haven't figured that one out.

      Comment


      • #4
        The problem is that LDAP connections leack terribly . A single user generates more then 20 connections after a couple of requests . These will definitely cause memory leaks and possibly connection leaks .

        Comment


        • #5
          Ensure you have configured LDAP connection pooling otherwise you will have a Threads created for each connection. See the discussion on SEC-2170 for a more detailed explanation including links to how to configure LDAP connection pooling.

          Comment

          Working...
          X