Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-2783

Make LDAP connection pool 'testOnBorrow' configurable

    XMLWordPrintableJSON

    Details

      Description

      Depending of the LDAP server configuration, it fails to connect as the server doesn't allow the connection validation query.

      It fails on

      Caused by: java.util.NoSuchElementException: Could not create a validated object, cause: ValidateObject failed
      at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1233)
      at org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:56)
      at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:532)
      ... 92 common frames omitted

      Based on customer analyze of Oak code this is the reason it fails:

      I think I have found a solution for the problem. While the system is initializing the connection it tries to validate the connection. This is the reason for the strange search request:

      SearchRequest
      baseDn : ''
      filter : '(objectClass=*)'
      scope : base object

      Because such kind of requests are not allowed in the client's ldap system the connection is being rejected (as invalid). It is configurable if the connection should be validated. The class org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider contains this code

      if (config.getAdminPoolConfig().getMaxActive() != 0) {
      adminPool = new LdapConnectionPool(adminConnectionFactory);
      adminPool.setTestOnBorrow(true);
      adminPool.setMaxActive(config.getAdminPoolConfig().getMaxActive());
      adminPool.setWhenExhaustedAction(GenericObjectPool.WHEN_EXHAUSTED_BLOCK);
      }

      A solution for our Problem would most probably be to change the connectionPool configuration adminPool.setTestOnBorrow(false);
      This Parameter comes sadly not from the identity provider configuration.

      Is there a way to change this this parameter without creating an own implementation of the identity provider?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tripod Tobias Bocanegra
                Reporter:
                tripod Tobias Bocanegra
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: