Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Subject source LDAP timeouts

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Subject source LDAP timeouts

Chronological Thread 
  • From: Julio Polo <>
  • To: "Wessel, Keith" <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Subject source LDAP timeouts
  • Date: Wed, 7 Dec 2016 15:13:28 -1000
  • Ironport-phdr: 9a23:g9F9shGfMU0Dnz9XK1MOtJ1GYnF86YWxBRYc798ds5kLTJ7zpMSwAkXT6L1XgUPTWs2DsrQf2rGQ7vurADNIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZb1/IA+2oAjfucUanIlvIbstxxXUpXdFZ/5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnMVhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1kyoMKSI3/3/LhcxxlKJboQyupxpjw47PfYqZMONycr7Bcd8GQGZMWNtaWS5cDYOmd4YADeQBM+ZWoYf+ulUAswexCBK2C+/z0DJFnGP60bE43uknDArI3BYgH9ULsHnMqNv1KaMSUeGyzKLV1zvDaPdW2TDg44XPcBAhvPWMXbN3ccfKyUkgDQ3EgU+RqYzkJT+ayPkCs3WC4udmSOmhhWknqwRrrTiuwMchkpXJhoIPyl/a7yp23Zw5JcelSE59Z9OvDZhetzmCOodoQ84uX2NltSM0yrAFopG3YC0HxZs7yxLDdvCKdpSH7g7iWeuUJDp0mnxodK+5ih2v60av0Pf8WdOx0FtSripKjN3MtncV2hzW8MeHS/998l6g2TaIywzf8+5FLV46mKbGMZIhzbkwlp0csUTHACD6gln5jKiTdkk8++io7froYqn+q5OCNoJ4lgPzP6EgmsG8Gus0Lg0DUmeH9eigybHu+FH2TKlLg/Azl6TVrp7XKdkDqq68GQBV04Ij6xilDzeh1dQVhXsHLE9BeBKGiIjkIFHOL+r2DPilglSskS1nyO7bMb38GpnNNGTMkK/9fbZh7E5R0AUzzcpY55JJErEOPujzVlbstNzDEBA5KRe0zv3jCNV8zYMeRXmPDrGDPKPTt1+I+vwgI/OKZIALpDbxNeIp6ODzgn8kyhchevzj4pYMc328WrxFLkSFYTCk1tQeHHwRsw4WTejuiVuFUCUVanqvCfES/DY+XaC7CYbEDriqhLvJiCWmGpxRTmBPFVmNEDHle5jSCKREUz6bPsI0ym9MbrOmUYJ0kEj27AI=

I would disable idle timeouts in the load balancer and the LDAP server.   It's OK to have timeouts for LDAP queries in both ends, client and server.   If there is no way to turn off the load balancer's idle timeout, can you configure it to 24 hours and ensure that you query a Grouper LDAP subject at least once a day?  Adjust the intervals accordingly to the maximum idle timeout value for your appliance.

I'm not familiar with Grouper's LDAP connection pool validation, but anything that can help remove a zombie connection before it's used can only help.   The validation would have to be a high-level validation, ie make a subject query that returns something without timing out.


On Wed, Dec 7, 2016 at 5:13 AM, Wessel, Keith <> wrote:

Thanks, Julio. We do, in fact, have a load balancer in the mix, too. If I’m going to tweak idle timeouts on the LDAP server or load balancer, what should my max idle timeout be? I assume shorter than the pool expiration time – is that 10 minutes by default?


Similarly, is pool validation something that would help solve this problem? I don’t believe we’ve configured it, and I would assume it’s not configured by default since the validation check is specific to our environment.






From: Julio Polo [mailto:]
Sent: Tuesday, December 06, 2016 6:50 PM
To: Wessel, Keith <>
Subject: Re: [grouper-users] Subject source LDAP timeouts


If the logs for your LDAP server don't reveal anything related to this timeout, check if there's a firewall or load balancer between Grouper and the network interface associated with the LDAP fqdn you configured Grouper with.

When it comes to persistent connections, we've experienced weird things when such network appliances and idle timeouts are involved.   The connection will appear to be fine from the client side, but there is nothing passing through these appliances onto the server.   Grouper's LDAP connection pooling wouldn't see anything wrong with the connection, but the client request isn't making it through the firewall or load balancer.   You can try tweaking the idle settings on these appliances (we've only had partial success) or you could specify an address that bypasses those appliances (but you'd lose the load balancing and every other benefit that comes with those appliances).



Julio Polo
Enterprise Middleware, Identity and Access Management
Information Technology Services
University of Hawaii

On Tue, Dec 6, 2016 at 9:53 AM, Wessel, Keith <> wrote:


We've been seeing LDAP connection read timeout exceptions in our Grouper dev and text environments. (We don't have production running quite yet.) They're somewhat random in terms of when they happen, but sometimes we see them if someone leaves a Grouper UI session idle in their browser for more than a half hour (give or take). Other times, they happen when an environment hasn't been accessed in a while.

I'm blaming connecton pooling, but I'm unclear why a stale connection from the pool would cause this to happen. After all, if our LDAP server closed an idle connection, wouldn't' the pool just create a new one? And is the pool really handing out stale connections?

The LDAP server, for what it's worth, as an IBM Security Systems Directory Server.

Any advice would be appreciated. The Java stack trace is below.


2016-12-06 13:00:51,534: [TP-Processor3] ERROR GrouperUiFilter.doFilter(1030) -  - UI error
edu.internet2.middleware.subject.SourceUnavailableException: Ldap NamingException: LDAP response read timed out, timeout used:2000ms.,
Cant find subject from login id: ecc
        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResultsHelper(
        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResults(
        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapUnique(
        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getSubject(
        at edu.internet2.middleware.subject.provider.BaseSourceAdapter.getSubjectByIdOrIdentifier(
        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver$4.callLogic(
        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver$4.callLogic(
        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver$
        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.executeCallables(
        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(
        at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(
        at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(
        at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedInHelper(
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedIn(
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(
        at org.apache.catalina.core.StandardWrapperValve.invoke(
        at org.apache.catalina.core.StandardContextValve.invoke(
        at org.apache.catalina.core.StandardHostValve.invoke(
        at org.apache.catalina.valves.ErrorReportValve.invoke(
        at org.apache.catalina.core.StandardEngineValve.invoke(
        at org.apache.catalina.connector.CoyoteAdapter.service(
        at org.apache.jk.server.JkCoyoteHandler.invoke(
        at org.apache.jk.common.HandlerRequest.invoke(
        at org.apache.jk.common.ChannelSocket.invoke(
        at org.apache.jk.common.ChannelSocket.processConnection(
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(
        at org.apache.tomcat.util.threads.ThreadPool$
Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:2000ms.; remaining name 'ou=people,dc=uiuc,dc=edu'
        at com.sun.jndi.ldap.Connection.readReply(
        at com.sun.jndi.ldap.LdapClient.getSearchReply(
        at com.sun.jndi.ldap.LdapCtx.doSearch(
        at com.sun.jndi.ldap.LdapCtx.searchAux(
        at com.sun.jndi.ldap.LdapCtx.c_search(
        at com.sun.jndi.ldap.LdapCtx.c_search(
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(
        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResultsHelper(
        ... 30 more


Archive powered by MHonArc 2.6.19.

Top of Page