LDAP Url failover Issue with UnboundID / V4

Paul King pking at overtsoftware.com
Thu Nov 5 13:48:55 UTC 2020 

Hi All,

We've got an issue that we've been trying to wrap our heads around, and we're wondering if anyone could shed any light.

Since switching to either v3 with UnboundID or v4 (fresh and upgraded instances tested), whenever the last LDAP server in the "idp.authn.LDAP.ldapURL" list is down it effectively breaks authentication. If the unavailable LDAP server is anywhere else in the list it works the same as in v3 pre-UnboundID - that is it just carries on without issue using the other available LDAP servers. The resolver still works regardless of where the unavailable LDAP server exists in the list as it did before switching to UnboundID.

So given an ldapURL like this:

idp.authn.LDAP.ldapURL = ldap://ldap1.example.local:389 ldap://ldap2.example.local:389 ldap://ldap3.example.local:389

 If ldap1.example.local:389 or ldap2.example.local:389 are down, authentication is resilient and fails over to the next LDAP server in the list as expected. However, if ldap3.example.local:389 is down, when a user attempts to enter their credentials it logs the following error and does not authenticate the user, regardless of whether the other specified servers are up:

2020-10-29 15:12:16,001 - DEBUG [net.shibboleth.idp.authn.impl.LDAPCredentialValidator:136] - Credential Validator ldap: Attempting to authenticate user userBlah
2020-10-29 15:12:16,002 - DEBUG [net.shibboleth.idp.authn.PooledTemplateSearchDnResolver:226] - resolve user=[org.ldaptive.auth.User at 1186726382::identifier=userBlah, context=org.apache.velocity.VelocityContext at 8cc392d]
2020-10-29 15:12:16,021 - DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnectionFactory:90] - Error connecting to LDAP URL: ldap://ldap1.example.local:389 ldap://ldap2.example.local:389 ldap://ldap3.example.local:389
org.ldaptive.provider.ConnectionException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldap3.example.local:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))')
    at org.ldaptive.provider.unboundid.UnboundIDConnectionFactory.createInternal(UnboundIDConnectionFactory.java:65)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldap3.example.local:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
    at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:875)
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
    at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
    at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:269)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
    at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
2020-10-29 15:12:16,021 - ERROR [org.ldaptive.pool.BlockingConnectionPool:457] - [org.ldaptive.pool.BlockingConnectionPool at 1583488429::name=search-pool, poolConfig=[org.ldaptive.pool.PoolConfig at 1021804183::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=PT5M, validateTimeout=PT5S], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator at 1469339442::searchRequest=[org.ldaptive.SearchRequest at -715611116::baseDn=, searchFilter=[org.ldaptive.SearchFilter at 1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy at 1674108056::prunePeriod=PT5M, idleTime=PT10M], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory at 1202521034::provider=org.ldaptive.provider.unboundid.UnboundIDProvider at 40167ad, config=[org.ldaptive.ConnectionConfig at 414987420::ldapUrl=ldap://ldap1.example.local:389 ldap://ldap2.example.local:389 ldap://ldap3.example.local:389, connectTimeout=PT3S, responseTimeout=PT3S, sslConfig=[org.ldaptive.ssl.SslConfig at 1312521522::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at ace827e, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 147880794::bindDn=bindUser at example.local, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.DefaultConnectionStrategy at 2b9d97b4]], initialized=true, availableCount=0, activeCount=0] unable to connect to the ldap
org.ldaptive.provider.ConnectionException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldap3.example.local:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))')
    at org.ldaptive.provider.unboundid.UnboundIDConnectionFactory.createInternal(UnboundIDConnectionFactory.java:65)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldap3.example.local:389:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
    at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:875)
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
    at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server ldap3.example.local:389:  ConnectException(Connection refused (Connection refused)), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
    at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:269)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
    at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
2020-10-29 15:12:16,022 - WARN [org.ldaptive.pool.BlockingConnectionPool:544] - unable to create active connection
2020-10-29 15:12:16,022 - ERROR [org.ldaptive.pool.BlockingConnectionPool:151] - Could not service check out request

Is this a known issue, configuration problem or a bug?

Many thanks in advance,

Kind regards,

Paul King
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201105/ce6d26e9/attachment.htm>

More information about the users mailing list