Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.0
    • Fix Version/s: 2.7.0
    • Component/s: ambari-server
    • Environment:

      java version "1.8.0_121"
      Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

      AD Domain Controllers
      LDAP v.3
      2012 R2 OS

    • Flags:
      Patch

      Description

      Ambari server configured to use "secure" ldap authentication.
      authentication.ldap.primaryUrl=********:636
      authentication.ldap.useSSL=true

      We call the ldap_sync_events REST endpoint frequently to synchronize existing groups and a specific list groups. We had no issues with this until mid-October at which point we began to see:

          "status" : "ERROR",
          "status_detail" : "Caught exception running LDAP sync. simple bind failed: **********:636; nested exception is javax.naming.CommunicationException: simple bind failed: **********:636 [Root exception is java.net.SocketException: Connection reset]",
      

      Troubleshooting:

      • We saw random success and failure when attempting to sync a single group.
      • With useSSL=false and an updated port ldap sync was consistently successful.

      Cause:

      • By default, ldap connection only uses pooled connections when connecting to a directory server over LDAP. Enabling SSL causes it to disable the pooling, resulting in poorer performance and failures due to connection resets.
      • Around mid-October we increased the number of groups defined on the system (50+), this pushed us outside the "safe zone".

      Fix:
      Enable the SSL connections pooling by adding the below argument to startup options.
      -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'

      Reference:
      https://confluence.atlassian.com/jirakb/connecting-jira-to-active-directory-over-ldaps-fails-with-connection-reset-763004137.htm
      https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html

        Attachments

        1. ambari-22642.patch
          1 kB
          David F. Quiroga

          Activity

            People

            • Assignee:
              quirogadf David F. Quiroga
              Reporter:
              quirogadf David F. Quiroga
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Time Spent - 3h 10m Remaining Estimate - 20h 50m
                20h 50m
                Logged:
                Time Spent - 3h 10m Remaining Estimate - 20h 50m
                3h 10m