Shib IdP v 4.2.1 + LDAP connections in Tomcat

[Lee Foltz]

in ldap.properties we use this setting.  in
shibboleth-idp/conf/ldap.properties.

idp.authn.LDAP.connectTimeout                  = 5000

On Mon, Nov 7, 2022 at 10:29 AM Mak, Steven via users <users at shibboleth.net>
wrote:

> Hi all,
>
>
>
> I wanted to ask the users list if I was doing something wrong.
>
>
>
> We are currently using Shibboleth IDP v4.2.1 upgraded from v3 over the
> years.
>
>
>
> We recently added an LDAP data connector using these non-default pool
> settings (everything else default):
>
>
>
> minPoolSize=3
>
> maxPoolSize=100
>
> blockWaitTime=PT1S
>
> validatePeriodically=true
>
> validateTimerPeriod=PT10S
>
> expirationTime=PT30S
>
> prunePeriod=PT15S
>
>
>
> So I've noticed with netstat the number of ESTABLISHED LDAP connections on
> startup = 6 connections (not 3). And then every time the resolver reloads
> yields +6 more connections.
>
>
>
> If I reload the resolver as a test, it will add 6 more ldap connections
> for every reload and they don't go away. My production IdP stayed at 36
> established ldap connections for 10 days even during low load periods. The
> connections don't go away until I restart tomcat.
>
>
>
> I read through some older emails in here and Scott stated that unboundid
> should not have these types of persistent ldap connections. I don't think
> I've purposely disabled unboundid.
>
>
>
> I was curious if maybe this is something I need to fix in tomcat or maybe
> at the OS.
>
>
>
> Thanks,
>
> Steve Mak
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer

248-370-2675
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221107/2a7cfc17/attachment.htm>