LDAP unable to create available connection

Ryan Tapp Ryan.Tapp at csulb.edu
Tue Dec 4 14:09:01 EST 2018 

Sherrea,

Do you have a firewall between the IdP and LDAP that might be dropping the session?  The out-of-the-box idp.pool.LDAP.validatePeriod is 5 minutes.  I found our firewall was dropping these connections at 1 minutes so I changed this value to 55 seconds and got no more drops.  However, for me the issue was only a nuisance of seeing those drops and having the LDAP server continually chatter about sessions it thought were still valid.  It didn't actually stop the IdP from just creating new pools as needed so I wasn't really affected from a service standpoint.

Ryan Tapp
California State University Long Beach

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of sherrera
Sent: Tuesday, December 4, 2018 10:05 AM
To: users at shibboleth.net
Subject: LDAP unable to create available connection

I'm working on getting upgraded to shib 3.4.1. I have setup our ldap connection in ldap.properties and also in attribute-resolver.xml. When I test against https://samltest.id, while tailing the idp-process.log, I see the initial connection and that my username and password is validated against ldap successful. samltest.id shows me the proper attributes I release to them. 

The issue is a few minutes later, I get these errors in the log and I don't know what to make of them. It says it can't make the connection but it shows as a success. I then tried a bad password and it fails as expected. 

2018-12-04 11:36:02,643 - ERROR
[org.ldaptive.pool.BlockingConnectionPool:509] - [org.ldaptive.pool.BlockingConnectionPool at 1669029790::name=bind-pool,
poolConfig=[org.ldaptive.pool.PoolConfig at 1099700163::minPoolSize=3,
maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300, validateTimeout=5000], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator at 353260847::searchRequest=[org.ldaptive.SearchRequest at 1528602321::baseDn=,
searchFilter=[org.ldaptive.SearchFilter at 1642584434::filter=(objectClass=*),
parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null]]
pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy at 1028819934::prunePeriod=300,
idleTime=600], connectOnCreate=true,
connectionFactory=[org.ldaptive.DefaultConnectionFactory at 1282572551::provider=org.ldaptive.provider.jndi.JndiProvider at 6b3826f6,
config=[org.ldaptive.ConnectionConfig at 1038588596::ldapUrl=ldaps://server.example.edu:636,
connectTimeout=3000, responseTimeout=3000, sslConfig=[org.ldaptive.ssl.SslConfig at 866795346::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 54590fe,
trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null]], initialized=true, availableCount=0, activeCount=0] unable to connect to the ldap
org.ldaptive.provider.ConnectionException:
javax.naming.CommunicationException: server.example.edu:636 [Root exception is java.net.SocketTimeoutException: connect timed out]
        at
org.ldaptive.provider.jndi.JndiConnectionFactory.createInternal(JndiConnectionFactory.java:104)
Caused by: javax.naming.CommunicationException: server.example.edu:636
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:228)
Caused by: java.net.SocketTimeoutException: connect timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
2018-12-04 11:36:02,644 - WARN
[org.ldaptive.pool.BlockingConnectionPool:559] - unable to create available connection



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list