LDAP security domain causes degraded performance on EAP 7/8
Environment
- JBoss Enterprise Application Platform (EAP)
- 7.x
- 8.x
Issue
- On EAP 7/8, we are seeing degraded performance with threads frequently waiting for ldap responses:
at java.lang.Object.wait(J)V (Native Method)
at java.lang.Object.wait()V (Object.java:502)
at com.sun.jndi.ldap.Connection.readReply(Lcom/sun/jndi/ldap/LdapRequest;)Lcom/sun/jndi/ldap/BerDecoder; (Connection.java:476)
at com.sun.jndi.ldap.LdapClient.getSearchReply(Lcom/sun/jndi/ldap/LdapRequest;ILcom/sun/jndi/ldap/LdapResult;Ljava/util/Hashtable;)Lcom/sun/jndi/ldap/LdapResult; (LdapClient.java:638)
at com.sun.jndi.ldap.LdapClient.search(Ljava/lang/String;IIIIZ[Ljava/lang/String;Ljava/lang/String;I[Ljavax/naming/ldap/Control;Ljava/util/Hashtable;ZI)Lcom/sun/jndi/ldap/LdapResult; (LdapClient.java:561)
at com.sun.jndi.ldap.LdapCtx.doSearch(Ljavax/naming/Name;Ljava/lang/String;Ljavax/naming/directory/SearchControls;ZZ)Lcom/sun/jndi/ldap/LdapResult; (LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.doSearchOnce(Ljavax/naming/Name;Ljava/lang/String;Ljavax/naming/directory/SearchControls;Z)Lcom/sun/jndi/ldap/LdapResult; (LdapCtx.java:1933)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(Ljavax/naming/Name;[Ljava/lang/String;Lcom/sun/jndi/toolkit/ctx/Continuation;)Ljavax/naming/directory/Attributes; (LdapCtx.java:1325)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Ljavax/naming/Name;[Ljava/lang/String;Lcom/sun/jndi/toolkit/ctx/Continuation;)Ljavax/naming/directory/Attributes; (ComponentDirContext.java:235)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Ljavax/naming/Name;[Ljava/lang/String;)Ljavax/naming/directory/Attributes; (PartialCompositeDirContext.java:141)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Ljava/lang/String;[Ljava/lang/String;)Ljavax/naming/directory/Attributes; (PartialCompositeDirContext.java:129)
at javax.naming.directory.InitialDirContext.getAttributes(Ljava/lang/String;[Ljava/lang/String;)Ljavax/naming/directory/Attributes; (InitialDirContext.java:142)
at javax.naming.directory.InitialDirContext.getAttributes(Ljava/lang/String;[Ljava/lang/String;)Ljavax/naming/directory/Attributes; (InitialDirContext.java:142)
at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(Ljavax/naming/ldap/LdapContext;Ljavax/naming/directory/SearchControls;Ljava/lang/String;Ljava/lang/String;II)V (LdapExtLoginModule.java:722)
at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(Ljava/lang/String;Ljava/lang/Object;)Z (LdapExtLoginModule.java:479)
at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(Ljava/lang/String;Ljava/lang/String;)Z (LdapExtLoginModule.java:343)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login()Z (UsernamePasswordLoginModule.java:283)
Resolution
- When using the legacy security subsystem on EAP 7, enable the default cache-type on your ldap security-domain:
<security-domain name="YourLdapConfig" cache-type="default">
- Using elytron on EAP 7/8, set up a caching-realm
Root Cause
- No JAAS cache is set on the security-domain so authentication is repeating ldap calls each time.
Components
Category
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.