15 seconds LDAP queries

Question

15 seconds LDAP queries

I have a JBoss application server that uses LDAP for authentication. Recently, we noticed that there are many slow queries (> 15 seconds).

I made several server data streams and noticed that many threads waiting for blocking: com.sun.jndi.ldap.LdapRequest@54ceac

java.lang.Object.wait(Native Method) com.sun.jndi.ldap.Connection.readReply(Connection.java:418) com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340) com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192) com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283) com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:134) com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:35) javax.naming.spi.NamingManager.getURLObject(NamingManager.java:584)

All requests that I saw that were waiting in this state took more than 15 seconds. We monitor the LDAP server and complete all requests from the monitoring tool in less than 200 ms. This makes me think this is a problem with the com.sun.jndi.ldap code. Decompiling the class com.sun.jndi.ldap.Connection (jdk1.5.0_12) I see the following:

 BerDecoder readReply(LdapRequest ldaprequest) throws IOException, NamingException { _L2: BerDecoder berdecoder; if((berdecoder = ldaprequest.getReplyBer()) != null) break; /* Loop/switch isn't completed */ try { label0: { synchronized(this) { if(sock == null) throw new ServiceUnavailableException((new StringBuilder()).append(host).append(":").append(port).append("; socket closed").toString()); } synchronized(ldaprequest) { berdecoder = ldaprequest.getReplyBer(); if(berdecoder == null) { ldaprequest.wait(15000L); break label0; } } break; /* Loop/switch isn't completed */ } } ...

The latency appears to be 16,000 milliseconds.

Does anyone have any ideas for a fix / workaround?

+6

java jboss ldap

awi Jul 16 '09 at 14:38

source share

4 answers

Zoran regvart · Answer 1 · 2009-12-26T14:09:41+0000

Looks like this error , have you tried to check network traffic using packet sniffer to check this condition?

loopkin · Answer 2 · 2011-06-20T13:36:41+0000

The old jdk1.5 (jdk1.5.0_12) is used.

I have the same problem with jdk1.5_16 using tomcat 5.5. We have a thread waiting for an ldap response, and it blocks all other threads, because I do not know about JBoss, but in tomcat, at least all ldap authentications are performed sequentially.

If you look at the decompiled code that you inserted, after waiting 15 seconds, you have a break0 label, which is actually a loop. That way, it will loop until the ldap response (no timeout!).

I'm not sure which version it was fixed in, but in 1.5.0_22 the code is now:

 BerDecoder readReply(LdapRequest paramLdapRequest) throws IOException, NamingException { BerDecoder localBerDecoder; int i = 0; while (((localBerDecoder = paramLdapRequest.getReplyBer()) == null) && (i == 0)) { try { synchronized (this) { if (this.sock == null) { throw new ServiceUnavailableException(this.host + ":" + this.port + "; socket closed"); } } synchronized (paramLdapRequest) { localBerDecoder = paramLdapRequest.getReplyBer(); if (localBerDecoder == null) if (this.readTimeout > 0) { paramLdapRequest.wait(this.readTimeout); i = 1; } else { paramLdapRequest.wait(15000L); } else break label163: } } catch (InterruptedException localInterruptedException) { throw new InterruptedNamingException("Interrupted during LDAP operation"); } }

So, if you specify a timeout value, it will wait for this time, and then exit the loop. This should unlock the authentication queue.

phatmanace · Answer 3 · 2009-07-20T19:10:02+0000

looks at me as if he is only waiting if the answer is invalid - the question arises whether there is any version mismatch due to which your application will not be able to analyze the answer from your server.

You tried to connect the source and see that you can set a breakpoint in eclipse.

-ACE

bkdougan · Answer 4 · 2009-08-08T03:23:37+0000

I saw something similar before when LDAP connects to the ActiveDirectory window (on a network with more than one server). This turned out to be a DNS problem, and we just needed to clear our DNS cache ("ipconfig / flushdns" in the Windows window). This may or may not be your problem, just thought it was worth a try.

15 seconds LDAP queries

More articles: