[Bug 63550] LDAP non standard port leads to JNDIRealm erratic behaviour

bugzilla Sun, 07 Jul 2019 11:29:59 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=63550


--- Comment #5 from Eugène Adell <eugene.ad...@gmail.com> ---
(In reply to Michael Osipov from comment #4)
> That's the wrong spot, you need to look here:
> https://docs.oracle.com/javase/7/docs/technotes/guides/jndi/jndi-ldap-gl.
> html#url

Thank you Michael, that doc is interesting.
In fact you're suggesting that alternateURL is redundant with the built-in
failover mechanism of JNDI LDAP (correct me if I'm wrong, as you didn't say
that explicitely).

I then made some tests to check the behaviour.
With the built-in failover (for example connectionURL="ldap://X.X.X.X:1389
ldap://X.X.X.X:2389";), I still get the very same problem when the first LDAP is
up and I introduce handshake failures. It doesn't switch to the 2nd server,
instead it is trying on localhost:389. Here's the capture :

20:02:20.775274 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [S], seq 2174431655, win
43690, options [mss 65495,sackOK,TS val 2699014618 ecr 0,nop,wscale 7], length
0
20:02:20.775327 IP X.X.X.X.1389 > X.X.X.X.38685: Flags [S.], seq 989781603, ack
2174431656, win 43690, options [mss 65495,sackOK,TS val 2699014619 ecr
2699014618,nop,wscale 7], length 0
20:02:20.775364 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [.], ack 1, win 342,
options [nop,nop,TS val 2699014619 ecr 2699014619], length 0
20:02:20.776028 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [P.], seq 1:61, ack 1,
win 342, options [nop,nop,TS val 2699014619 ecr 2699014619], length 60
20:02:20.776095 IP X.X.X.X.1389 > X.X.X.X.38685: Flags [.], ack 61, win 342,
options [nop,nop,TS val 2699014619 ecr 2699014619], length 0
20:02:20.776590 IP X.X.X.X.1389 > X.X.X.X.38685: Flags [P.], seq 1:15, ack 61,
win 342, options [nop,nop,TS val 2699014620 ecr 2699014619], length 14
20:02:20.776630 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [.], ack 15, win 342,
options [nop,nop,TS val 2699014620 ecr 2699014620], length 0
20:02:20.787654 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [P.], seq 61:233, ack
15, win 342, options [nop,nop,TS val 2699014631 ecr 2699014620], length 172
20:02:20.788704 IP X.X.X.X.1389 > X.X.X.X.38685: Flags [P.], seq 15:1010, ack
233, win 350, options [nop,nop,TS val 2699014632 ecr 2699014631], length 995
20:02:20.827471 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [P.], seq 233:240, ack
1010, win 357, options [nop,nop,TS val 2699014671 ecr 2699014632], length 7
20:02:20.828574 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [F.], seq 240, ack 1010,
win 357, options [nop,nop,TS val 2699014672 ecr 2699014632], length 0
20:02:20.829042 IP X.X.X.X.1389 > X.X.X.X.38685: Flags [F.], seq 1010, ack 241,
win 350, options [nop,nop,TS val 2699014672 ecr 2699014671], length 0
20:02:20.829076 IP X.X.X.X.38685 > X.X.X.X.1389: Flags [.], ack 1011, win 357,
options [nop,nop,TS val 2699014672 ecr 2699014672], length 0
20:02:20.833809 IP 127.0.0.1.29197 > 127.0.0.1.389: Flags [S], seq 2615831214,
win 43690, options [mss 65495,sackOK,TS val 2699014677 ecr 0,nop,wscale 7],
length 0
20:02:20.833857 IP 127.0.0.1.389 > 127.0.0.1.29197: Flags [R.], seq 0, ack
2615831215, win 0, length 0

When using the alternateURL, it's working well. The capture shows traffic on
the first port (the one with the handshake failure), then the second :

20:12:52.426094 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [S], seq 1912007028, win
43690, options [mss 65495,sackOK,TS val 2699646269 ecr 0,nop,wscale 7], length
0
20:12:52.426144 IP X.X.X.X.1389 > X.X.X.X.38947: Flags [S.], seq 38313939, ack
1912007029, win 43690, options [mss 65495,sackOK,TS val 2699646269 ecr
2699646269,nop,wscale 7], length 0
20:12:52.426179 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [.], ack 1, win 342,
options [nop,nop,TS val 2699646269 ecr 2699646269], length 0
20:12:52.433394 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [P.], seq 1:61, ack 1,
win 342, options [nop,nop,TS val 2699646277 ecr 2699646269], length 60
20:12:52.433457 IP X.X.X.X.1389 > X.X.X.X.38947: Flags [.], ack 61, win 342,
options [nop,nop,TS val 2699646277 ecr 2699646277], length 0
20:12:52.433743 IP X.X.X.X.1389 > X.X.X.X.38947: Flags [P.], seq 1:15, ack 61,
win 342, options [nop,nop,TS val 2699646277 ecr 2699646277], length 14
20:12:52.433856 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [.], ack 15, win 342,
options [nop,nop,TS val 2699646277 ecr 2699646277], length 0
20:12:52.682783 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [P.], seq 61:233, ack
15, win 342, options [nop,nop,TS val 2699646526 ecr 2699646277], length 172
20:12:52.683356 IP X.X.X.X.1389 > X.X.X.X.38947: Flags [P.], seq 15:1010, ack
233, win 350, options [nop,nop,TS val 2699646527 ecr 2699646526], length 995
20:12:52.683394 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [.], ack 1010, win 357,
options [nop,nop,TS val 2699646527 ecr 2699646527], length 0
20:12:52.756065 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [P.], seq 233:240, ack
1010, win 357, options [nop,nop,TS val 2699646599 ecr 2699646527], length 7
20:12:52.756677 IP X.X.X.X.1389 > X.X.X.X.38947: Flags [F.], seq 1010, ack 240,
win 350, options [nop,nop,TS val 2699646600 ecr 2699646599], length 0
20:12:52.757877 IP X.X.X.X.38947 > X.X.X.X.1389: Flags [F.], seq 240, ack 1011,
win 357, options [nop,nop,TS val 2699646601 ecr 2699646600], length 0
20:12:52.757907 IP X.X.X.X.1389 > X.X.X.X.38947: Flags [.], ack 241, win 350,
options [nop,nop,TS val 2699646601 ecr 2699646601], length 0
20:12:52.765130 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [S], seq 2345339635, win
43690, options [mss 65495,sackOK,TS val 2699646608 ecr 0,nop,wscale 7], length
0
20:12:52.765169 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [S.], seq 2395971082,
ack 2345339636, win 43690, options [mss 65495,sackOK,TS val 2699646608 ecr
2699646608,nop,wscale 7], length 0
20:12:52.765278 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [.], ack 1, win 342,
options [nop,nop,TS val 2699646609 ecr 2699646608], length 0
20:12:52.766062 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [P.], seq 1:61, ack 1,
win 342, options [nop,nop,TS val 2699646609 ecr 2699646608], length 60
20:12:52.766121 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [.], ack 61, win 342,
options [nop,nop,TS val 2699646609 ecr 2699646609], length 0
20:12:52.766492 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [P.], seq 1:15, ack 61,
win 342, options [nop,nop,TS val 2699646610 ecr 2699646609], length 14
20:12:52.766577 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [.], ack 15, win 342,
options [nop,nop,TS val 2699646610 ecr 2699646610], length 0
20:12:52.781002 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [P.], seq 61:233, ack
15, win 342, options [nop,nop,TS val 2699646624 ecr 2699646610], length 172
20:12:52.781815 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [P.], seq 15:1018, ack
233, win 350, options [nop,nop,TS val 2699646625 ecr 2699646624], length 1003
20:12:52.821367 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [.], ack 1018, win 357,
options [nop,nop,TS val 2699646665 ecr 2699646625], length 0
20:12:52.948434 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [P.], seq 233:500, ack
1018, win 357, options [nop,nop,TS val 2699646792 ecr 2699646625], length 267
20:12:52.988266 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [.], ack 500, win 359,
options [nop,nop,TS val 2699646832 ecr 2699646792], length 0
20:12:52.988316 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [P.], seq 500:506, ack
1018, win 357, options [nop,nop,TS val 2699646832 ecr 2699646832], length 6
20:12:52.988333 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [.], ack 506, win 359,
options [nop,nop,TS val 2699646832 ecr 2699646832], length 0
20:12:53.024034 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [P.], seq 506:591, ack
1018, win 357, options [nop,nop,TS val 2699646867 ecr 2699646832], length 85
20:12:53.024100 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [.], ack 591, win 359,
options [nop,nop,TS val 2699646867 ecr 2699646867], length 0
20:12:53.024535 IP X.X.X.X.2389 > X.X.X.X.18452: Flags [P.], seq 1018:1109, ack
591, win 359, options [nop,nop,TS val 2699646868 ecr 2699646867], length 91
20:12:53.024565 IP X.X.X.X.18452 > X.X.X.X.2389: Flags [.], ack 1109, win 357,
options [nop,nop,TS val 2699646868 ecr 2699646868], length 0

>From all this, I'm still thinking the same, I mean that Tomcat shouldn't try to
connect on localhost:389 if it's not explicitely asked to (and this is the idea
behind connectionURL + alternateURL), instead of that it should try to
reconnect to the only server configured. One comment in the code says the same
from my understanding :

            // reset it in case the connection times out.
            // the primary may come back.

If I'm correct, maybe the documentation should mention alternateURL is the
preferred way for resiliency instead of relying on the built-in method.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63550] LDAP non standard port leads to JNDIRealm erratic behaviour

Reply via email to