Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28857

"Automatic" group lookup strategy is not so automatic

    XMLWordPrintable

Details

    Description

      com.sun.jndi.ldap.Connection.readReply() apparently times out after 15secs with an error like this:

      Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.; remaining name 'DC=example,DC=com'
          at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
          at com.sun.jndi.ldap.LdapClient.getSearchReply(Unknown Source)
          at com.sun.jndi.ldap.LdapClient.search(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
          at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:97)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.chainGroupLookup(ActiveDirectoryUnixAuthenticationProvider.java:469)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:453)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:318)
          ... 44 more
      

      Note that the source code (or that of JDK7) doesn't explain why one would ever get this error message. if readTimeout<0, then waited shall never be true.

      But this is reported as JDK-8062947, and another person sees it too.

      The automatic mode should catch NamingException, check time out, and should fall back to the recursive lookup.

      Attachments

        Issue Links

          Activity

            Hey guys,

            Just stumbled across this page by chance. I've been trying to resolve this issue but with no luck so far. As frustrating as it is, the issue is intermittent and there doesn't appear to be a pattern (at least not that I know of). Would be of great help if you could please get someone on it and look into. Thanks.

            Karthik

            karthik_durairajan Karthik Durairajan added a comment - Hey guys, Just stumbled across this page by chance. I've been trying to resolve this issue but with no luck so far. As frustrating as it is, the issue is intermittent and there doesn't appear to be a pattern (at least not that I know of). Would be of great help if you could please get someone on it and look into. Thanks. Karthik
            fbelzunc Félix Belzunce Arcos added a comment - - edited

            The workaround for this issue is change the strategy.

            <groupLookupStrategy>AUTO</groupLookupStrategy>
            

            per:

            <groupLookupStrategy>RECURSIVE</groupLookupStrategy>
            
            fbelzunc Félix Belzunce Arcos added a comment - - edited The workaround for this issue is change the strategy. <groupLookupStrategy> AUTO </groupLookupStrategy> per: <groupLookupStrategy> RECURSIVE </groupLookupStrategy>

            The right solution looks to me to catch the exception and ensure that more than 15 seconds happened before pass to recursive. O maybe, even better, being able to set-up the timeout.

            fbelzunc Félix Belzunce Arcos added a comment - The right solution looks to me to catch the exception and ensure that more than 15 seconds happened before pass to recursive. O maybe, even better, being able to set-up the timeout. https://bugs.openjdk.java.net/browse/JDK-8062947 http://www.docjar.com/html/api/com/sun/jndi/ldap/Connection.java.html https://docs.oracle.com/javase/tutorial/jndi/newstuff/readtimeout.html

            Code changed in jenkins
            User: Felix Belzunce Arcos
            Path:
            src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            http://jenkins-ci.org/commit/active-directory-plugin/0c908ff2aba57e2098916598ff03aef5f9b047aa
            Log:
            Merge pull request #20 from fbelzunc/JENKINS-28857

            [FIXED JENKINS-28857] Catch the case in which LDAP times out after some seconds

            Compare: https://github.com/jenkinsci/active-directory-plugin/compare/8ed46fc74b3f...0c908ff2aba5

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Felix Belzunce Arcos Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/0c908ff2aba57e2098916598ff03aef5f9b047aa Log: Merge pull request #20 from fbelzunc/ JENKINS-28857 [FIXED JENKINS-28857] Catch the case in which LDAP times out after some seconds Compare: https://github.com/jenkinsci/active-directory-plugin/compare/8ed46fc74b3f...0c908ff2aba5

            People

              fbelzunc Félix Belzunce Arcos
              kohsuke Kohsuke Kawaguchi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: