Announcement Announcement Module
No announcement yet.
First LDAP login hangs after app has been idle Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • First LDAP login hangs after app has been idle


    I'm a long time Spring user, using Spring Security for the first time and it's working really well. Our app runs on WebLogic 10.3 with a remote LDAP server for authentication.

    There is one anomaly. When the application has been idle for a while (which is common since we're still in development), it's as if the underlying LDAP connection times out or otherwise goes bad.

    The symptom is: The first login hangs indefinitely. If I hit the browser's stop button and login again, it works fine, along with all subsequent logins. The problem occurs only after an idle period (no idea how long).

    It's as if the first attempt registers the fact that the connection is dead, but it never recovers. Later attempts must successfully reopen the connection.

    Has anyone seen this and is there a solution? I'm using simple namespace configuration so I don't have easy access to all the internals.

    Ideally the initial login attempt would detect the broken connection and recover by reconnecting. Is there a way to do that in client code?

    Thanks for any advice you might have. Config follows.


    <ldap-server url="${ldap_url}/"
        <ldap-authentication-provider user-search-base="ou=People"
        	user-search-filter="(uid={0})" group-search-base="ou=People"
        	group-role-attribute="ou" user-context-mapper-ref="mymapper" />
    Last edited by fptoth; Sep 22nd, 2010, 09:18 PM. Reason: typo

  • #2
    Hanging LDAP - can anyone help?


    I'm concerned that I'm not using this forum correctly since the forum lists only 1 view of my post after several weeks.

    I'm hoping that someone has seen this behavior and can advise me on a work-around. Here it is again:

    Spring security with LDAP is working fine.

    After application is idle for a while, the next attempt to login hangs indefinitely. Apparently the connection to the LDAP server has been closed.

    If you click stop on your browser and try again, everything then works fine.

    Ultimately, the first hanging thread will timeout. In our server log, we see a timeout exception after 10 minutes.

    I would like to eliminate this pain.




    • #3
      Originally posted by fptoth View Post

      I'm concerned that I'm not using this forum correctly since the forum lists only 1 view of my post after several weeks.
      I think there is some problem with the "views" figure. It's not being updated accurately.

      I'd guess you are running into some kind of connection pooling issue where the LDAP server is dropping the connection. If you haven't already done so, have a look at the pooling configuration chapter of the Java LDAP tutorial and try setting a connection pool timeout tp try to prevent stale connections from being left in the pool. Ideally you should tailor this to be consistent with the configuration of your LDAP server.


      • #4
        Great tip - cured

        Thanks Luke, that was the key to the puzzle. I had no idea that the sun ldap stuff was underneath spring, nor did I know it could be configured with system properties.

        Now I think I understand that this is happening:

        -- LDAP connections on my side are pooled and the default timeout is "no timeout".
        -- After an application start, everything is fine, since the first login triggers the first connection to LDAP.
        -- Connections in our pool never time out, so that connection stays open as far as we're concerned.
        -- In the mean time, the LDAP server times out its end of the connection, since everything is idle (I'm still trying to get to the people that know this timeout value).
        -- On our next login, we attempt to use the pooled connection which we think is still valid. Since it's not, it hangs, waiting for a response that will never come.
        -- Hitting stop and logging in again works, presumably because there's only the one stale connection in the pool. The new login uses a brand new connection.

        If, however, we time out our own connections with a value that's less than the LDAP timeout value, this problem goes away, since there are never stale connections.

        Like I said, the LDAP server is managed by another team and I'm still working toward getting their timeout value, but as an experiment, I set my connection timeout to be 5 minutes. Problem solved!

        Thanks again for the perfect pointer.



        • #5
          Great. Glad you got it sorted.

          Our systems team has also fixed the "views" column, so it should be rendering accurately now.