Shibboleth IdP v4.0.1 and too many LDAP connections ESTABLISHED
Marco Malavolti
marco.malavolti at garr.it
Fri Nov 27 11:47:18 UTC 2020
Good Morning at all,
I need help because I don't understand why every time that I reload my
Shibboleth IdP v4.0.1 (Debian 10 + OpenLDAP/slapd installed on
localhost/389 without STARTTLS) with:
touch /opt/jetty/webapps/idp.xml
the system adds 6 new LDAP connections:
tcp 0 0 127.0.0.1:389 127.0.0.1:37938
ESTABLISHED 7237/slapd
and the previous connections don't be closed and stay "ESTABLISHED"
indefinitely.
If I reload several times my Shibboleth IdP, the number of LDAP
connections reach the maximum number accepted and I need to perform a
global jetty restart with "systemctl restart jetty.service" to come back
to a normal activity.
I use all default values provided by the "dist" version of
"ldap.properties" and "attribute-resolver-ldap.xml" that I report here:
ldap.properties (dist-version) properties:
# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator = none
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver
configurations
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout =
%{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout =
%{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN =
%{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN =
%{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS =
%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates =
%{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter =
(uid=$resolutionContext.principal)
idp.attribute.resolver.LDAP.exportAttributes = ### List
space-separated of attributes to retrieve from the directory directly ###
# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize = 3
#idp.pool.LDAP.maxSize = 10
#idp.pool.LDAP.validateOnCheckout = false
#idp.pool.LDAP.validatePeriodically = true
#idp.pool.LDAP.validatePeriod = PT5M
#idp.pool.LDAP.validateDN =
#idp.pool.LDAP.validateFilter = (objectClass=*)
#idp.pool.LDAP.prunePeriod = PT5M
#idp.pool.LDAP.idleTime = PT10M
#idp.pool.LDAP.blockWaitTime = PT3S
=========================================================
attribute-resolver-ldap.xml (dist-version) LDAP <DataConnector>:
<!-- LDAP Connector -->
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
exportAttributes="%{idp.attribute.resolver.LDAP.exportAttributes}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
validateDN="%{idp.pool.LDAP.validateDN:}"
validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
</DataConnector>
=========================================================
Do someone met the same problem and know how can I solve it?
Thank you so much, really!
--
Marco Malavolti
Consortium GARR - Servizio IDEM GARR AAI
Via dei Tizii, 6 - I-00185 (ROMA)
CF: 97284570583 - PI:07577141000
Mobile: +39 331 608 3639
Skype: marco.mala
PGP KEY: https://keys.openpgp.org/search?q=marco.malavolti@garr.it
More information about the users
mailing list