p:responseTimeout not present in LDAP connections
Youssef GHORBAL
youssef.ghorbal at pasteur.fr
Thu Apr 21 12:16:10 EDT 2016
Hello,
While investigating an issue with the IdP not responding, I came across a fact that the p:responseTimeout is not set on the connection beans in conf/authn/ldap-authn-config.xml
The situation I’m currently facing is that LDAP servers stops responding queries but TCP connections stood still.
Since p:responseTimeout is not set (and thus it's infinite) what happens is a snowball effect. When LDAP stops responding, Spring Flows are stucked waiting for answers, I get a lot of :
2016-04-20 19:34:03,300 - ERROR [org.springframework.webflow.conversation.impl.LockTimeoutException:76] -
org.springframework.webflow.conversation.impl.LockTimeoutException: Unable to acquire conversation lock after 30 seconds
at org.springframework.webflow.conversation.impl.JdkConcurrentConversationLock.lock(JdkConcurrentConversationLock.java:44)
Jetty starts piling the TCP connections in TIME_WAIT status (since it does not get answers from the IdP servlet) and finally everything collaps with "too many open files” (since the number of sockets explodes)
There is a lot de be done here :
- Make the LDAP servers actually answer requests :)
- Prevent Jetty (and the OS) from piling the client TCP connections (recycle faster)
On the shibboleth side, I was wondering if there is any reasons not setting a default p:responseTimeout on the LDAP connection pools. Maybe there are other non obvious side effects ?
Youssef Ghorbal
Institut Pasteur
More information about the users
mailing list