Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
1.2
Description
Depending of the LDAP server configuration, it fails to connect as the server doesn't allow the connection validation query.
It fails on
Caused by: java.util.NoSuchElementException: Could not create a validated object, cause: ValidateObject failed
at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1233)
at org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:56)
at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:532)
... 92 common frames omitted
Based on customer analyze of Oak code this is the reason it fails:
I think I have found a solution for the problem. While the system is initializing the connection it tries to validate the connection. This is the reason for the strange search request:
SearchRequest
baseDn : ''
filter : '(objectClass=*)'
scope : base objectBecause such kind of requests are not allowed in the client's ldap system the connection is being rejected (as invalid). It is configurable if the connection should be validated. The class org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider contains this code
if (config.getAdminPoolConfig().getMaxActive() != 0) {
adminPool = new LdapConnectionPool(adminConnectionFactory);
adminPool.setTestOnBorrow(true);
adminPool.setMaxActive(config.getAdminPoolConfig().getMaxActive());
adminPool.setWhenExhaustedAction(GenericObjectPool.WHEN_EXHAUSTED_BLOCK);
}A solution for our Problem would most probably be to change the connectionPool configuration adminPool.setTestOnBorrow(false);
This Parameter comes sadly not from the identity provider configuration.Is there a way to change this this parameter without creating an own implementation of the identity provider?