如何配置ldaptive以使用连接池(JAAS)
[英]How to configure ldaptive to use connection pooling (jaas)
问题描述
我们有一个使用ldap对用户进行身份验证的应用程序。 我们使用https://www.ldaptive.org/作为ldap客户端,并通过jaas登录配置文件对其进行配置。
这是我们的jaas登录配置文件的示例:
ourApplication {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=People,dc=example,dc=com"
useStartTLS="false"
bindDn="uid=admin,ou=People,dc=example,dc=com"
bindCredential="password"
userFilter="(uid={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=Roles,dc=example,dc=com"
roleFilter="(member={dn})"
roleAttribute="cn";
};
这足够好用。 随着时间的流逝,我们开始出现错误,类似于此处所述:
如果链接出现问题,则来自汇聚用户的投诉是,有时无法通过ldap服务器对用户进行身份验证。 报告这样的错误:
2010-08-10 13:04:18,277 ERROR [http-80-8] [user.impl.ldap.LDAPUserManagerReadOnly] getUser Error retrieving user: 'Husein.Alatas' from LDAP.
-- url: /display/Test | userName: Husein.Alatas | referer: http://confluence/display/dashboard/Home | action: notpermitted
com.atlassian.user.impl.ldap.repository.LdapConnectionFailedException: javax.naming.CommunicationException: ldap.atlassian.com:389 [Root exception is java.net.BindException: Address already in use: connect]
at com.atlassian.user.impl.ldap.repository.DefaultLdapContextFactory.getLDAPContext(DefaultLdapContextFactory.java:93)
at com.atlassian.user.impl.ldap.search.DefaultLDAPUserAdaptor.search(DefaultLDAPUserAdaptor.java:70)
at com.atlassian.user.impl.ldap.search.DefaultLDAPUserAdaptor.search(DefaultLDAPUserAdaptor.java:54)
at com.atlassian.user.impl.ldap.LDAPUserManagerReadOnly.getUser(LDAPUserManagerReadOnly.java:70)
at com.atlassian.user.impl.delegation.DelegatingUserManager.getUser(DelegatingUserManager.java:68)
at bucket.user.DefaultUserAccessor.getUser(DefaultUserAccessor.java:146)
...
Caused by: javax.naming.CommunicationException: ldap.atlassian.com:389 [Root exception is java.net.BindException: Address already in use: connect]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:200)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:118)
at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:46)
at com.sun.jndi.ldap.pool.Connections.getOrCreateConnection(Connections.java:185)
...
Caused by: java.net.BindException: Address already in use: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
...
我们正在获得类似的通信并绑定错误。
上面的链接建议运行
netstat -na
我们的应用程序服务器上的命令,以查看与ldap服务器的连接是否打开。 当我这样做时,我看到数百行如下所示:
TCP 129.135.249.138:65525 129.135.28.18:10389 ESTABLISHED
左边的地址是我们的server:port,右边的地址是ldap server:port。 最终,左侧的端口转到65535,这可能是导致无法进行身份验证的原因:所有端口都已占用,因此无法通信。
上面的atlassian链接指向ldaptive jaas配置页面,以获取有关如何为ldaptive配置连接池的示例:
https://www.ldaptive.org/docs/guide/jaas.html
这是ldaptive给出的示例,用于通过jaas配置将ldaptive配置为使用连接池:
ldaptive {
org.ldaptive.jaas.LdapLoginModule required
ldapUrl="ldap://directory.ldaptive.org:389"
baseDn="ou=people,dc=ldaptive,dc=org"
bindDn="cn=priviledged_user,ou=services,dc=vt,dc=edu"
bindCredential="notarealpassword"
useStartTLS="true"
userFilter="(uid={user})"
userRoleAttribute="eduPersonAffiliation"
dnResolver="org.ldaptive.auth.SearchDnResolver"
authenticationHandler="org.ldaptive.auth.SimpleBindAuthenticationHandler"
connectionFactory="org.ldaptive.PooledConnectionFactory"
cacheId="ldaptive-pooled";
};
我一直无法使它正常工作。 首先,我在示例中发现了几个错误:
- ldaptive中没有SimpleBindAuthenticationHandler类。 似乎最可能的类应该是BindAuthenticationHandler。
- PooledConnectionFactory的完全限定的类名应为:org.ldaptive.pool.PooledConnectionFactory
进行这些更改后,我的jaas配置文件如下所示:
ourApplication {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=People,dc=example,dc=com"
useStartTLS="false"
bindDn="uid=admin,ou=People,dc=example,dc=com"
bindCredential="password"
userFilter="(uid={user})"
dnResolver="org.ldaptive.auth.SearchDnResolver"
authenticationHandler="org.ldaptive.auth.BindAuthenticationHandler"
connectionFactory="org.ldaptive.pool.PooledConnectionFactory"
cacheId="ldaptive-pooled";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=Roles,dc=example,dc=com"
roleFilter="(member={dn})"
roleAttribute="cn";
};
现在,当我运行我们的应用程序并尝试进行身份验证时,我在日志文件中看到此错误:
2019-09-12 14:45:10,229 ERROR (ajp-nio-8009-exec-3)[org.ldaptive.props.AbstractPropertyInvoker] Error invoking public void org.ldaptive.auth.SearchDnResolver.setConnectionFactory(org.ldaptive.ConnectionFactory), on [org.ldaptive.auth.SearchDnResolver@1036972035::factory=null, baseDn=, userFilter=null, userFilterParameters=null, allowMultipleDns=false, subtreeSearch=false, derefAliases=null, referralHandler=null], with params org.ldaptive.pool.PooledConnectionFactory
因此,似乎ldaptive无法使用我定义的池配置,主要是根据他们的示例。
有没有人像这样使用ldaptive(通过jaas配置并使用缓冲池)? 是否有人对ldaptive足够了解,可以猜测这里出了什么问题以及如何正确配置它?
我想我也应该问,在ldaptive中进行池化是否可以解决通过netstat -na看到的端口的明显耗尽?
更新:
我能够在我的jaas配置文件中使用池配置:
ourApplication {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=People,dc=example,dc=com"
useStartTLS="false"
bindDn="uid=admin,ou=People,dc=example,dc=com"
bindCredential="password"
userFilter="(uid={user})"
dnResolver="org.ldaptive.auth.PooledSearchDnResolver"
authenticationHandler="org.ldaptive.auth.PooledBindAuthenticationHandler"
pruneStrategy="org.ldaptive.pool.IdlePruneStrategy{{prunePeriod=PT3M}{idleTime=PT6M}}"
cacheId="ldaptive-users-pooled";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=Roles,dc=example,dc=com"
roleFilter="(member={dn})"
roleAttribute="cn"
dnResolver="org.ldaptive.auth.PooledSearchDnResolver"
authenticationHandler="org.ldaptive.auth.PooledBindAuthenticationHandler"
pruneStrategy="org.ldaptive.pool.IdlePruneStrategy{{prunePeriod=PT3M}{idleTime=PT6M}}"
cacheId="ldaptive-roles-pooled";
};
这似乎确实有所不同,但是我仍然看到(在我看来)在我们的应用程序服务器和ldap服务器之间仍然有太多连接保持打开状态。 这是netstat -na输出的示例:
TCP 129.135.28.210:61285 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61288 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61290 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61292 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61294 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61299 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61301 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61303 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61309 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61311 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61313 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61317 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61319 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61323 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61336 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61338 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61340 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61342 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61344 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61346 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61348 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61350 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61353 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61355 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61359 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61374 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61376 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61378 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61380 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61383 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61385 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61389 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61396 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61398 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61400 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61402 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61404 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61408 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61416 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61419 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61421 129.135.28.18:10389 ESTABLISHED
TCP 129.135.28.210:61423 129.135.28.18:10389 ESTABLISHED
当我第一次对此进行调查时,实际上应用程序服务器端使用的所有端口都是连续的。 现在看来,最多每个其他端口都在使用中,甚至还有2、3、4和更多端口之间的间隔。 请注意,此示例是在上一次ldap活动之后将近两个小时拍摄的。
在ldap活动停止后,为什么这些连接会保留这么长时间? 池/修剪配置是否应该做更多以减少连接数? 我猜想它会带来更多帮助。
1 个解决方案
解决方案1
2 已采纳 2019-09-14 13:54:05
请注意,ldaptive文档正在过渡到版本2。这就是为什么文档似乎不同步的原因。 可以在http://www.ldaptive.org/v1/中找到版本1文档。
问题的原因是此错误: https : //bugs.openjdk.java.net/browse/JDK-8217606
现在的解决方案是使用UnboundID提供程序。 更新您的JAAS配置,并将ldaptive-unboundid和unboundid jars添加到您的类路径中。
ourApplication {
org.ldaptive.jaas.LdapLoginModule required
storePass="true"
provider="org.ldaptive.provider.unboundid.UnboundIDProvider"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=People,dc=example,dc=com"
useStartTLS="false"
bindDn="uid=admin,ou=People,dc=example,dc=com"
bindCredential="password"
userFilter="(uid={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
provider="org.ldaptive.provider.unboundid.UnboundIDProvider"
ldapUrl="ldap://ldapserver:10389"
baseDn="ou=Roles,dc=example,dc=com"
roleFilter="(member={dn})"
roleAttribute="cn";
};
如何为连接池配置Hibernate,Spring和Apache dbcp?
[英]How to configure Hibernate, Spring and Apache dbcp for connection pooling?
如何在Spring Boot中使用自定义前缀配置数据库配置连接池?
[英]How to configure database configuration connection pooling with custom prefix in Spring Boot?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.