Disable LDAP Pooling

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable LDAP Pooling

Crawford, Jeffrey

Hi All,

 

We have a misbehaving load balancer in front of our LDAP server that seems to drop connections that are open for too long, despite being configured to allow connections up to one hour. Until we can figure out why that is happening, we want to disable pooling on the attribute resolver. We tried commenting out the section:
        <ConnectionPool minPoolSize="3"

                    maxPoolSize="10"

                    blockWhenEmpty="true"

                    blockWaitTime="PT5S"

                    validatePeriodically="true"

                    validateTimerPeriod="PT30M"

                    expirationTime="PT10M"/>

 

But that seems to revert pooling to default values, is there a flag of some sort that disables pooling altogether?

 

Thanks

Jeffrey C.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Cantor, Scott E.
On 1/14/20, 1:16 PM, "users on behalf of Crawford, Jeffrey" <[hidden email] on behalf of [hidden email]> wrote:

> We tried commenting out the section:
> But that seems to revert pooling to default values, is there a flag of some sort that disables pooling altogether?

The code is:

        final BeanDefinition connectionPool = v2Parser.createConnectionPool(connectionFactory.getBeanDefinition());
        BeanDefinitionBuilder pooledConnectionFactory = null;
        if (connectionPool != null) {
            pooledConnectionFactory = BeanDefinitionBuilder.genericBeanDefinition(PooledConnectionFactory.class);
            pooledConnectionFactory.addConstructorArgValue(connectionPool);
            builder.addPropertyValue("connectionFactory", pooledConnectionFactory.getBeanDefinition());
        } else {
            builder.addPropertyValue("connectionFactory", connectionFactory.getBeanDefinition());
        }

With no element connectionPool is null, and it shouldn't be using a pooled connection factory, so my read is it wouldn't be pooling.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Rod Widdowson
In reply to this post by Crawford, Jeffrey
I’m AFI and I cannot remember er the details of the ldaptive configuration,  but what does maxpoolsize=0 do?
/r

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Crawford, Jeffrey
In reply to this post by Cantor, Scott E.
We are seeing the following in our LDAP logs which seems to indicate that it's using a pool (All the same connection). This is just a snippet but note the search base of "" and the objectClass=* searches in between:

Jan 14 09:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2418 SEARCH RESULT tag=101 err=0 qtime=0.000058 etime=0.470019 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SEARCH RESULT tag=101 err=0 qtime=0.000057 etime=0.015062 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SEARCH RESULT tag=101 err=0 qtime=0.000072 etime=0.058399 nentries=1 text=
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.048988 nentries=1 text=
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SEARCH RESULT tag=101 err=0 qtime=0.000115 etime=0.386680 nentries=1 text=
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH attr=1.1
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SEARCH RESULT tag=101 err=0 qtime=0.000093 etime=0.470235 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SEARCH RESULT tag=101 err=0 qtime=0.000067 etime=0.917766 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.959024 nentries=1 text=
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH attr=1.1
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.469710 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SEARCH RESULT tag=101 err=0 qtime=0.000052 etime=0.801628 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SEARCH RESULT tag=101 err=0 qtime=0.000090 etime=0.919629 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SEARCH RESULT tag=101 err=0 qtime=0.000427 etime=0.872264 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SEARCH RESULT tag=101 err=0 qtime=0.000041 etime=0.923690 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SEARCH RESULT tag=101 err=0 qtime=0.000078 etime=0.132187 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.194771 nentries=1 text=
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SEARCH RESULT tag=101 err=0 qtime=0.000027 etime=0.435241 nentries=1 text=

On 1/14/20, 10:34 AM, "users on behalf of Cantor, Scott" <[hidden email] on behalf of [hidden email]> wrote:

    On 1/14/20, 1:16 PM, "users on behalf of Crawford, Jeffrey" <[hidden email] on behalf of [hidden email]> wrote:
   
    > We tried commenting out the section:
    > But that seems to revert pooling to default values, is there a flag of some sort that disables pooling altogether?
   
    The code is:
   
            final BeanDefinition connectionPool = v2Parser.createConnectionPool(connectionFactory.getBeanDefinition());
            BeanDefinitionBuilder pooledConnectionFactory = null;
            if (connectionPool != null) {
                pooledConnectionFactory = BeanDefinitionBuilder.genericBeanDefinition(PooledConnectionFactory.class);
                pooledConnectionFactory.addConstructorArgValue(connectionPool);
                builder.addPropertyValue("connectionFactory", pooledConnectionFactory.getBeanDefinition());
            } else {
                builder.addPropertyValue("connectionFactory", connectionFactory.getBeanDefinition());
            }
   
    With no element connectionPool is null, and it shouldn't be using a pooled connection factory, so my read is it wouldn't be pooling.
   
    -- Scott
   
   
    --
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to [hidden email]
   

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Cantor, Scott E.
On 1/14/20, 1:49 PM, "users on behalf of Crawford, Jeffrey" <[hidden email] on behalf of [hidden email]> wrote:

> We are seeing the following in our LDAP logs which seems to indicate that it's using a pool (All the same connection). > This is just a snippet but note the search base of "" and the objectClass=* searches in between:

I would look at the IdP half and just observe what it does on DEBUG to see what connections it creates and when. But aside from the code, Daniel would have to weigh in.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Michael A Grady
In reply to this post by Crawford, Jeffrey
There is pooling for authentication (on by default) and pooling for the resolver (not on by default). I've not tried to "turn it off" for authenticaiton, but ath is where you'd still have pooling (authn/ldap-authn-config.xml)

On Jan 14, 2020, at 12:49 PM, Crawford, Jeffrey <[hidden email]> wrote:

We are seeing the following in our LDAP logs which seems to indicate that it's using a pool (All the same connection). This is just a snippet but note the search base of "" and the objectClass=* searches in between:

Jan 14 09:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2418 SEARCH RESULT tag=101 err=0 qtime=0.000058 etime=0.470019 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SEARCH RESULT tag=101 err=0 qtime=0.000057 etime=0.015062 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SEARCH RESULT tag=101 err=0 qtime=0.000072 etime=0.058399 nentries=1 text=
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.048988 nentries=1 text=
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SEARCH RESULT tag=101 err=0 qtime=0.000115 etime=0.386680 nentries=1 text=
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH attr=1.1
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SEARCH RESULT tag=101 err=0 qtime=0.000093 etime=0.470235 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SEARCH RESULT tag=101 err=0 qtime=0.000067 etime=0.917766 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.959024 nentries=1 text=
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH attr=1.1
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.469710 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SEARCH RESULT tag=101 err=0 qtime=0.000052 etime=0.801628 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SEARCH RESULT tag=101 err=0 qtime=0.000090 etime=0.919629 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SEARCH RESULT tag=101 err=0 qtime=0.000427 etime=0.872264 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SEARCH RESULT tag=101 err=0 qtime=0.000041 etime=0.923690 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SEARCH RESULT tag=101 err=0 qtime=0.000078 etime=0.132187 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.194771 nentries=1 text=
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SEARCH RESULT tag=101 err=0 qtime=0.000027 etime=0.435241 nentries=1 text=

On 1/14/20, 10:34 AM, "users on behalf of Cantor, Scott" <[hidden email] on behalf of [hidden email]> wrote:

   On 1/14/20, 1:16 PM, "users on behalf of Crawford, Jeffrey" <[hidden email] on behalf of [hidden email]> wrote:

We tried commenting out the section:
But that seems to revert pooling to default values, is there a flag of some sort that disables pooling altogether?

   The code is:

           final BeanDefinition connectionPool = v2Parser.createConnectionPool(connectionFactory.getBeanDefinition());
           BeanDefinitionBuilder pooledConnectionFactory = null;
           if (connectionPool != null) {
               pooledConnectionFactory = BeanDefinitionBuilder.genericBeanDefinition(PooledConnectionFactory.class);
               pooledConnectionFactory.addConstructorArgValue(connectionPool);
               builder.addPropertyValue("connectionFactory", pooledConnectionFactory.getBeanDefinition());
           } else {
               builder.addPropertyValue("connectionFactory", connectionFactory.getBeanDefinition());
           }

   With no element connectionPool is null, and it shouldn't be using a pooled connection factory, so my read is it wouldn't be pooling.

   -- Scott


   -- 
   For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
   To unsubscribe from this list send an email to [hidden email]


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

----------

This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1579027808-CzI7pduSZIp7&r_address=mgrady%40unicon.net&report=

--
Michael A. Grady
IAM Architect, Unicon, Inc.




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Michael A Grady
In reply to this post by Crawford, Jeffrey
There is pooling for authentication (on by default) and pooling for the resolver (not on by default). I've not tried to "turn it off" for authenticaiton, but ath is where you'd still have pooling (authn/ldap-authn-config.xml)

--
Michael A. Grady
IAM Architect, Unicon, Inc.




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Crawford, Jeffrey
In reply to this post by Michael A Grady

Auth points to a different LDAP environment, our LDAP has the attributes, not the passwords, so this ldap only has the attribute-resolver.xml pointing to it.

 

From: users <[hidden email]> on behalf of Michael A Grady <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Tuesday, January 14, 2020 at 10:54 AM
To: Shib Users <[hidden email]>
Subject: Re: Disable LDAP Pooling

 

There is pooling for authentication (on by default) and pooling for the resolver (not on by default). I've not tried to "turn it off" for authenticaiton, but ath is where you'd still have pooling (authn/ldap-authn-config.xml)



On Jan 14, 2020, at 12:49 PM, Crawford, Jeffrey <[hidden email]> wrote:

 

We are seeing the following in our LDAP logs which seems to indicate that it's using a pool (All the same connection). This is just a snippet but note the search base of "" and the objectClass=* searches in between:

Jan 14 09:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2418 SEARCH RESULT tag=101 err=0 qtime=0.000058 etime=0.470019 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SEARCH RESULT tag=101 err=0 qtime=0.000057 etime=0.015062 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SEARCH RESULT tag=101 err=0 qtime=0.000072 etime=0.058399 nentries=1 text=
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.048988 nentries=1 text=
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SEARCH RESULT tag=101 err=0 qtime=0.000115 etime=0.386680 nentries=1 text=
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH attr=1.1
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SEARCH RESULT tag=101 err=0 qtime=0.000093 etime=0.470235 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SEARCH RESULT tag=101 err=0 qtime=0.000067 etime=0.917766 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.959024 nentries=1 text=
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH attr=1.1
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.469710 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SEARCH RESULT tag=101 err=0 qtime=0.000052 etime=0.801628 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SEARCH RESULT tag=101 err=0 qtime=0.000090 etime=0.919629 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SEARCH RESULT tag=101 err=0 qtime=0.000427 etime=0.872264 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SEARCH RESULT tag=101 err=0 qtime=0.000041 etime=0.923690 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SEARCH RESULT tag=101 err=0 qtime=0.000078 etime=0.132187 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.194771 nentries=1 text=
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SEARCH RESULT tag=101 err=0 qtime=0.000027 etime=0.435241 nentries=1 text=

On 1/14/20, 10:34 AM, "users on behalf of Cantor, Scott" <
[hidden email] on behalf of [hidden email]> wrote:

   On 1/14/20, 1:16 PM, "users on behalf of Crawford, Jeffrey" <[hidden email] on behalf of [hidden email]> wrote:


We tried commenting out the section:
But that seems to revert pooling to default values, is there a flag of some sort that disables pooling altogether?


   The code is:

           final BeanDefinition connectionPool = v2Parser.createConnectionPool(connectionFactory.getBeanDefinition());
           BeanDefinitionBuilder pooledConnectionFactory = null;
           if (connectionPool != null) {
               pooledConnectionFactory = BeanDefinitionBuilder.genericBeanDefinition(PooledConnectionFactory.class);
               pooledConnectionFactory.addConstructorArgValue(connectionPool);
               builder.addPropertyValue("connectionFactory", pooledConnectionFactory.getBeanDefinition());
           } else {
               builder.addPropertyValue("connectionFactory", connectionFactory.getBeanDefinition());
           }

   With no element connectionPool is null, and it shouldn't be using a pooled connection factory, so my read is it wouldn't be pooling.

   -- Scott


   -- 
   For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
   To unsubscribe from this list send an email to [hidden email]


-- 
For Consortium Member technical support, see 
https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to 
[hidden email]

----------

This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1579027808-CzI7pduSZIp7&r_address=mgrady%40unicon.net&report=

 

--
Michael A. Grady
IAM Architect, Unicon, Inc.

 

 




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Disable LDAP Pooling

Yeargan, Yancey
We also have a load-balancer with short timeouts.

Did you explicitly configure the pool's connection validator? 

I am guessing that the ..
SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
.. is the default validator configuration, but that may not be appropriate for your needs.


We pass the following to org.ldaptive.pool.BlockingConnectionPool to explicitly configure the search BaseDN and the LDAP filter for the connection validation checks ...

<property name="validator">
  <bean class="org.ldaptive.pool.SearchValidator">
    <property name="searchRequest">
      <bean class="org.ldaptive.SearchRequest">
        <constructor-arg value="%{idp.pool.LDAP.validatorBaseDN}" />
        <constructor-arg value="%{idp.pool.LDAP.validatorFilter}" />
      </bean>
    </property>
  </bean>
</property>


We also explicitly configure the pool's connection pruning strategy for short time periods.

<property name="pruneStrategy">
  <bean class="org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="%{idp.pool.LDAP.prunePeriod:300}"
      p:idleTime="%{idp.pool.LDAP.idleTime:600}" />
</property>


In ldap.properties, we have ...

idp.pool.LDAP.minSize = 17
idp.pool.LDAP.maxSize = 37

idp.pool.LDAP.validateOnCheckin    = false
idp.pool.LDAP.validateOnCheckout   = false
idp.pool.LDAP.validatePeriodically = true
idp.pool.LDAP.validatePeriod       = 270  # just under five minutes

idp.pool.LDAP.prunePeriod = 300
idp.pool.LDAP.idleTime    = 600

idp.pool.LDAP.blockWaitTime = 3000

idp.pool.LDAP.failFastInitialize = false

idp.pool.LDAP.validatorBaseDN = o=unt
idp.pool.LDAP.validatorFilter = (objectclass=organization)


If you're interested, I will send you the entire LDAP configuration.

Yancey Yeargan
IT Manager
IT Shared Services
________________________________
UNIVERSITY OF NORTH TEXAS SYSTEM
Office: 940.369.7521



On Jan 14, 2020, at 12:56 PM, Crawford, Jeffrey <[hidden email]> wrote:

Auth points to a different LDAP environment, our LDAP has the attributes, not the passwords, so this ldap only has the attribute-resolver.xml pointing to it.
 
From: users <[hidden email]> on behalf of Michael A Grady <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Tuesday, January 14, 2020 at 10:54 AM
To: Shib Users <[hidden email]>
Subject: Re: Disable LDAP Pooling
 
There is pooling for authentication (on by default) and pooling for the resolver (not on by default). I've not tried to "turn it off" for authenticaiton, but ath is where you'd still have pooling (authn/ldap-authn-config.xml)


On Jan 14, 2020, at 12:49 PM, Crawford, Jeffrey <[hidden email]> wrote:
 
We are seeing the following in our LDAP logs which seems to indicate that it's using a pool (All the same connection). This is just a snippet but note the search base of "" and the objectClass=* searches in between:

Jan 14 09:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2418 SEARCH RESULT tag=101 err=0 qtime=0.000058 etime=0.470019 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2419 SEARCH RESULT tag=101 err=0 qtime=0.000057 etime=0.015062 nentries=1 text=
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 09:50:18 iam-ed-t02 slapd[20805]: conn=1551805 op=2420 SEARCH RESULT tag=101 err=0 qtime=0.000072 etime=0.058399 nentries=1 text=
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:41 iam-ed-t02 slapd[20805]: conn=1551805 op=2421 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.048988 nentries=1 text=
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 09:57:47 iam-ed-t02 slapd[20805]: conn=1551805 op=2422 SEARCH RESULT tag=101 err=0 qtime=0.000115 etime=0.386680 nentries=1 text=
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SRCH attr=1.1
Jan 14 10:07:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2423 SEARCH RESULT tag=101 err=0 qtime=0.000093 etime=0.470235 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2424 SEARCH RESULT tag=101 err=0 qtime=0.000067 etime=0.917766 nentries=1 text=
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:35:14 iam-ed-t02 slapd[20805]: conn=1551805 op=2425 SEARCH RESULT tag=101 err=0 qtime=0.000069 etime=0.959024 nentries=1 text=
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SRCH attr=1.1
Jan 14 10:37:40 iam-ed-t02 slapd[20805]: conn=1551805 op=2426 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.469710 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2427 SEARCH RESULT tag=101 err=0 qtime=0.000052 etime=0.801628 nentries=1 text=
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opussa1)"
Jan 14 10:38:46 iam-ed-t02 slapd[20805]: conn=1551805 op=2428 SEARCH RESULT tag=101 err=0 qtime=0.000090 etime=0.919629 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2429 SEARCH RESULT tag=101 err=0 qtime=0.000427 etime=0.872264 nentries=1 text=
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=opusadmin)"
Jan 14 10:43:19 iam-ed-t02 slapd[20805]: conn=1551805 op=2430 SEARCH RESULT tag=101 err=0 qtime=0.000041 etime=0.923690 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2431 SEARCH RESULT tag=101 err=0 qtime=0.000078 etime=0.132187 nentries=1 text=
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:03 iam-ed-t02 slapd[20805]: conn=1551805 op=2432 SEARCH RESULT tag=101 err=0 qtime=0.000043 etime=0.194771 nentries=1 text=
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SRCH base="ou=people,dc=edtest,dc=ucla,dc=edu" scope=2 deref=0 filter="(uclaLogonID=jeffreycrawford)"
Jan 14 10:46:09 iam-ed-t02 slapd[20805]: conn=1551805 op=2433 SEARCH RESULT tag=101 err=0 qtime=0.000027 etime=0.435241 nentries=1 text=

On 1/14/20, 10:34 AM, "users on behalf of Cantor, Scott" <
[hidden email] on behalf of [hidden email]> wrote:

   On 1/14/20, 1:16 PM, "users on behalf of Crawford, Jeffrey" <[hidden email] on behalf of [hidden email]> wrote:


We tried commenting out the section:
But that seems to revert pooling to default values, is there a flag of some sort that disables pooling altogether?

   The code is:

  final BeanDefinition connectionPool = v2Parser.createConnectionPool(connectionFactory.getBeanDefinition());
           BeanDefinitionBuilder pooledConnectionFactory = null;
           if (connectionPool != null) {
               pooledConnectionFactory = BeanDefinitionBuilder.genericBeanDefinition(PooledConnectionFactory.class);
               pooledConnectionFactory.addConstructorArgValue(connectionPool);
               builder.addPropertyValue("connectionFactory", pooledConnectionFactory.getBeanDefinition());
           } else {
               builder.addPropertyValue("connectionFactory", connectionFactory.getBeanDefinition());
           }

   With no element connectionPool is null, and it shouldn't be using a pooled connection factory, so my read is it wouldn't be pooling.

   -- Scott


   -- 
   For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
   To unsubscribe from this list send an email to [hidden email]


-- 
For Consortium Member technical support, see 
https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to 
[hidden email]

----------

This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1579027808-CzI7pduSZIp7&r_address=mgrady%40unicon.net&report=
 
--
Michael A. Grady
IAM Architect, Unicon, Inc.
 
 


-- 
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&amp;data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cb539dad172c345d6f69b08d799238564%7C70de199207c6480fa318a1afcba03983%7C0%7C1%7C637146250153955810&amp;sdata=u4uEppKBnSIjivpIHgsXfJLgxcMqPFze56MCKV5PjzY%3D&amp;reserved=0
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Disable LDAP Pooling

Daniel Fisher-2
In reply to this post by Crawford, Jeffrey
On Tue, Jan 14, 2020 at 1:16 PM Crawford, Jeffrey <[hidden email]> wrote:

Hi All,

 

We have a misbehaving load balancer in front of our LDAP server that seems to drop connections that are open for too long, despite being configured to allow connections up to one hour. Until we can figure out why that is happening, we want to disable pooling on the attribute resolver. We tried commenting out the section:
        <ConnectionPool minPoolSize="3"

                    maxPoolSize="10"

                    blockWhenEmpty="true"

                    blockWaitTime="PT5S"

                    validatePeriodically="true"

                    validateTimerPeriod="PT30M"

                    expirationTime="PT10M"/>

 

But that seems to revert pooling to default values, is there a flag of some sort that disables pooling altogether?


Commenting out the pool config should do the trick. Can you share your configuration and some DEBUG logs for the org.ldaptive package at startup?

--Daniel Fisher


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]