p:responseTimeout not present in LDAP connections

Youssef GHORBAL youssef.ghorbal at pasteur.fr
Thu Apr 21 12:16:10 EDT 2016


	While investigating an issue with the IdP not responding, I came across a fact that the p:responseTimeout is not set on the connection beans in conf/authn/ldap-authn-config.xml
	The situation I’m currently facing is that LDAP servers stops responding queries but TCP connections stood still.

	Since p:responseTimeout is not set (and thus it's infinite) what happens is a snowball effect. When LDAP stops responding, Spring Flows are stucked waiting for answers, I get a lot of  :

2016-04-20 19:34:03,300 - ERROR [org.springframework.webflow.conversation.impl.LockTimeoutException:76] - 
org.springframework.webflow.conversation.impl.LockTimeoutException: Unable to acquire conversation lock after 30 seconds
	at org.springframework.webflow.conversation.impl.JdkConcurrentConversationLock.lock(JdkConcurrentConversationLock.java:44)

	Jetty starts piling the TCP connections in TIME_WAIT status (since it does not get answers from the IdP servlet) and finally everything collaps with "too many open files” (since the number of sockets explodes)

	There is a lot de be done here :
	- Make the LDAP servers actually answer requests :)
	- Prevent Jetty (and the OS) from piling the client TCP connections (recycle faster)
	On the shibboleth side, I was wondering if there is any reasons not setting a default p:responseTimeout on the LDAP connection pools. Maybe there are other non obvious side effects ?

Youssef Ghorbal
Institut Pasteur

More information about the users mailing list