Bug #71686 Web interface dies on failed LDAP login
Submitted: 12 Feb 2014 19:58 Modified: 14 Apr 2014 12:10
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Web Severity:S2 (Serious)
Version:3.0.5, 3.0.6 OS:Any
Assigned to: CPU Architecture:Any
Tags: LDAP

[12 Feb 2014 19:58] Daniël van Eeden 
Description:
I'm using LDAP over SSL to authenticate.

Normally com.mysql.security.com.mysql.etools.monitor.bo.LdapAuthenticator logs (TRACE):
 authenticate( "myuser", password )
 retrieving attribute cn
 bindAsUser( javax.naming.ldap.InitialLdapContext@6a2406ad[myProps={java.naming.provider.url=ldaps://myhost:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.ldap.version=3, java.naming.factory.url.pkgs=org.apache.naming, java.naming.security.protocol=ssl},defaultInitCtx=com.sun.jndi.ldap.LdapCtx@3538a870,gotDefault=true], com.mysql.etools.monitor.bo.LdapAuthenticator$LdapUser@48903012[commonName=<null>,dn=cn=myuser,ou=Users,o=company,password=<null>,roles=[],username=myuser], password )
 binding as cn=myuser,ou=Users,o=company
 LDAP Authentication Success for myuser
 addRoles(cn=myuser,ou=Users,o=company)
 authenticate( "myuser", password ) returns roles: <null>

But sometimes this happens:
20:30 authenticate( "myuser", password )
20:46 LDAP Failure

In the 15 minutes between those messages the web interface is not available. Afther the LDAP Failure the call is retried and everything seems to work as expected.

How to repeat:
Use LDAPS wait for connection (firewall?) timeout
[13 Feb 2014 6:43] Daniël van Eeden 
Set to S2 (Serious).
[16 Feb 2014 17:21] Daniël van Eeden 
In the service manager graph "HTTP Server Service Times" there are spikes of 15 minutes and 30 seconds when this happens.
[16 Feb 2014 17:22] Daniël van Eeden 
HTTP Server Service Times graph

Attachment: srvman_ldap_issue.png (image/png, text), 53.89 KiB.
[21 Feb 2014 10:25] Mark Leith 
Verifying as described via some code inspection.

Additional info on the actual exception being raised:

javax.naming.ServiceUnavailableException: <ldap_server>:636; socket closed; remaining name 'cn=<user>,ou=Users,o=<company>'
at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
[27 Feb 2014 9:56] Daniël van Eeden 
add LDAP tag
[14 Apr 2014 12:10] Daniël van Eeden 
From the 3.0.8 release notes:
----------------------------------------------
It is now possible to configure the LDAP connection timeout values. The following were added to the LDAP Authentication frame of the Global Settings page:

    Connect timeout: time elapsed without establishing a connection to the LDAP server. If a connection is not established within the defined number of seconds, an error is returned.

    Read timeout: time elapsed without a response to a request for data from the LDAP server. If no response is received within the defined number of seconds, an error is returned.

Note

If the value is set to 0, the timeout value defaults to the operating system's default value.

(Bug #18287809)
----------------------------------------------

This indeed improves the handling of read timeouts a lot :)