CMDBuild Forum

LDAP authentication timeouts

Old Versions
#1

I'm migrating from CMDBuild 2.1.8 to 2.4.0.

LDAP authentication works well as far as username is in LDAP. However using non existing username causes UI to wait forever and in log I can find the following error about timeout:

javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.xxx.yyy:389 [Root exception is java.net.ConnectException: Connection timed out]]

It seems that in source code there is env.put(Context.REFERRAL, "follow"); which may cause the trouble. However the old production version didn't have the same problem.

How can I fix this timeout in 2.4.0?

Here are logs for comparsion. Auth.conf is similar between these versions.

***************************************************************************************

NEW Test, CMDBuild 2.4.0, no SSL, Tomcat 7:
INFO  2016-04-07 15:38:05 [jsonrpc ] Calling url /login/login
DEBUG 2016-04-07 15:38:05 [jsonrpc ]     parameter "password": ***
DEBUG 2016-04-07 15:38:05 [jsonrpc ]     parameter "username": xyzzy
INFO  2016-04-07 15:38:05 [cmdbuild] trying to login user xyzzy with group null
DEBUG 2016-04-07 15:38:05 [auth    ] restoring defaults
DEBUG 2016-04-07 15:38:05 [auth    ] LDAP generated search query: (&(objectClass=*)(sAMAccountName=xyzzy))
WARN  2016-04-07 15:41:14 [auth    ] LDAP error
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.xxx.yyy:389 [Root exception is java.net.ConnectException: Connection timed out]]
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
        at org.cmdbuild.auth.LdapAuthenticator.getUser(LdapAuthenticator.java:91)
        at org.cmdbuild.auth.LdapAuthenticator.checkPassword(LdapAuthenticator.java:58)
        at org.cmdbuild.auth.DefaultAuthenticationService.authenticate(DefaultAuthenticationService.java:140)
        at org.cmdbuild.logic.auth.DefaultAuthenticationLogic.login(DefaultAuthenticationLogic.java:132)
        at org.cmdbuild.servlets.json.Login.login(Login.java:42)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.cmdbuild.servlets.JSONDispatcher.dispatch(JSONDispatcher.java:107)
        at org.cmdbuild.servlets.JSONDispatcher.doPost(JSONDispatcher.java:67)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.AuthFilter.doFilter(AuthFilter.java:158)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.PatchManagerFilter.doFilter(PatchManagerFilter.java:48)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.ConfCheckFilter.doFilter(ConfCheckFilter.java:31)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.TranslationFilter.doFilter(TranslationFilter.java:52)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

***************************************************************************************

OLD Production, CMDBuild 2.1.8, no SSL, Tomcat 6:
INFO  2016-04-07 12:42:08 [jsonrpc ] Calling url /login/login
DEBUG 2016-04-07 12:42:08 [jsonrpc ]     parameter "password": ***
DEBUG 2016-04-07 12:42:08 [jsonrpc ]     parameter "username": xyzzy
INFO  2016-04-07 12:42:08 [cmdbuild] trying to login user xyzzy with group null
WARN  2016-04-07 12:42:08 [auth    ] cannot authenticate user 'xyzzy' on LDAP
ERROR 2016-04-07 12:42:08 [cmdbuild] Login failed
DEBUG 2016-04-07 12:42:08 [jsonrpc ] Uncaught exception calling method class org.cmdbuild.servlets.json.Login.login
org.cmdbuild.exception.AuthException: AUTH_LOGIN_WRONG
        at org.cmdbuild.exception.AuthException$AuthExceptionType.createException(AuthException.java:24)
        at org.cmdbuild.logic.auth.DefaultAuthenticationLogic.login(DefaultAuthenticationLogic.java:159)
        at sun.reflect.GeneratedMethodAccessor263.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196)
        at com.sun.proxy.$Proxy11.login(Unknown Source)
        at org.cmdbuild.servlets.json.Login.login(Login.java:37)
        at sun.reflect.GeneratedMethodAccessor351.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.cmdbuild.servlets.JSONDispatcher.dispatch(JSONDispatcher.java:97)
        at org.cmdbuild.servlets.JSONDispatcher.doPost(JSONDispatcher.java:57)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.AuthFilter.doFilter(AuthFilter.java:144)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.PatchManagerFilter.doFilter(PatchManagerFilter.java:33)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.ConfCheckFilter.doFilter(ConfCheckFilter.java:31)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.TranslationFilter.doFilter(TranslationFilter.java:39)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)

 

#2
In the next minor release (2.4.1) you will be able to launch the application specifying two parameters that should help you
 
-Dcom.sun.jndi.ldap.connect.timeout=...
-Dcom.sun.jndi.ldap.read.timeout=...
 
with a value expressed in milliseconds.
 
Best regards.
 
-- CMDBuild Team
 
Previously Buzzy Smith wrote:

I'm migrating from CMDBuild 2.1.8 to 2.4.0.

LDAP authentication works well as far as username is in LDAP. However using non existing username causes UI to wait forever and in log I can find the following error about timeout:

javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.xxx.yyy:389 [Root exception is java.net.ConnectException: Connection timed out]]

It seems that in source code there is env.put(Context.REFERRAL, "follow"); which may cause the trouble. However the old production version didn't have the same problem.

How can I fix this timeout in 2.4.0?

Here are logs for comparsion. Auth.conf is similar between these versions.

***************************************************************************************

NEW Test, CMDBuild 2.4.0, no SSL, Tomcat 7:
INFO  2016-04-07 15:38:05 [jsonrpc ] Calling url /login/login
DEBUG 2016-04-07 15:38:05 [jsonrpc ]     parameter "password": ***
DEBUG 2016-04-07 15:38:05 [jsonrpc ]     parameter "username": xyzzy
INFO  2016-04-07 15:38:05 [cmdbuild] trying to login user xyzzy with group null
DEBUG 2016-04-07 15:38:05 [auth    ] restoring defaults
DEBUG 2016-04-07 15:38:05 [auth    ] LDAP generated search query: (&(objectClass=*)(sAMAccountName=xyzzy))
WARN  2016-04-07 15:41:14 [auth    ] LDAP error
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.xxx.yyy:389 [Root exception is java.net.ConnectException: Connection timed out]]
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
        at org.cmdbuild.auth.LdapAuthenticator.getUser(LdapAuthenticator.java:91)
        at org.cmdbuild.auth.LdapAuthenticator.checkPassword(LdapAuthenticator.java:58)
        at org.cmdbuild.auth.DefaultAuthenticationService.authenticate(DefaultAuthenticationService.java:140)
        at org.cmdbuild.logic.auth.DefaultAuthenticationLogic.login(DefaultAuthenticationLogic.java:132)
        at org.cmdbuild.servlets.json.Login.login(Login.java:42)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.cmdbuild.servlets.JSONDispatcher.dispatch(JSONDispatcher.java:107)
        at org.cmdbuild.servlets.JSONDispatcher.doPost(JSONDispatcher.java:67)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.AuthFilter.doFilter(AuthFilter.java:158)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.PatchManagerFilter.doFilter(PatchManagerFilter.java:48)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.ConfCheckFilter.doFilter(ConfCheckFilter.java:31)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.cmdbuild.filters.TranslationFilter.doFilter(TranslationFilter.java:52)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

***************************************************************************************

OLD Production, CMDBuild 2.1.8, no SSL, Tomcat 6:
INFO  2016-04-07 12:42:08 [jsonrpc ] Calling url /login/login
DEBUG 2016-04-07 12:42:08 [jsonrpc ]     parameter "password": ***
DEBUG 2016-04-07 12:42:08 [jsonrpc ]     parameter "username": xyzzy
INFO  2016-04-07 12:42:08 [cmdbuild] trying to login user xyzzy with group null
WARN  2016-04-07 12:42:08 [auth    ] cannot authenticate user 'xyzzy' on LDAP
ERROR 2016-04-07 12:42:08 [cmdbuild] Login failed
DEBUG 2016-04-07 12:42:08 [jsonrpc ] Uncaught exception calling method class org.cmdbuild.servlets.json.Login.login
org.cmdbuild.exception.AuthException: AUTH_LOGIN_WRONG
        at org.cmdbuild.exception.AuthException$AuthExceptionType.createException(AuthException.java:24)
        at org.cmdbuild.logic.auth.DefaultAuthenticationLogic.login(DefaultAuthenticationLogic.java:159)
        at sun.reflect.GeneratedMethodAccessor263.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196)
        at com.sun.proxy.$Proxy11.login(Unknown Source)
        at org.cmdbuild.servlets.json.Login.login(Login.java:37)
        at sun.reflect.GeneratedMethodAccessor351.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.cmdbuild.servlets.JSONDispatcher.dispatch(JSONDispatcher.java:97)
        at org.cmdbuild.servlets.JSONDispatcher.doPost(JSONDispatcher.java:57)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.AuthFilter.doFilter(AuthFilter.java:144)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.PatchManagerFilter.doFilter(PatchManagerFilter.java:33)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.ConfCheckFilter.doFilter(ConfCheckFilter.java:31)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.cmdbuild.filters.TranslationFilter.doFilter(TranslationFilter.java:39)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)

 

 

#3

Good day Buzzy,

 

We are also trying to get AD/LDAP integration to work on our openmaint system. Do you mind posting your auth.conf configurations so that we can compare? offcourse remove sensitive info.

 

Thanks,