Grouper Users - Open Discussion List

[Robert Bradley <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 28/04/2020 02:27, Baron Fujimoto wrote:
> We're running Grouper 2.2.2 with LDAP (389DS) as a subject source.
> We were previously using Java 1.0.8_212 successfully. However, I
> recently upgraded the instance to use the current version of Java
> (251), and after doing so noticed that while it initially appears
> to work as expected, the LDAP connections eventually begin to time
> out with the following error:
>
> javax.naming.NamingException: LDAP response read timed out,
> timeout used:-1ms
>
> The timeouts start to occur after ~20 minutes. Netstat shows no
> open connections to our LDAP at that point.
>
> The grouper host is actually a node in a cluster behind a load
> balancer, but our lb admins can't find any relevant ~20 minute
> timeout value there.
>
> I've empirically determined that this appears to happen with a
> version of Java 8 higher than 221 (i.e. 231, 241, 251). I dodn't
> see anything in the JDK release notes for 231 that appear to be
> relevant.
> <https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.ht
ml>
>
>
One thought is that it could be a similar JNDI bug to that described
in https://wiki.shibboleth.net/confluence/display/IDP30/LDAPonJava%3E8
and https://issues.shibboleth.net/jira/browse/IDP-1441.  The problem
with that is that the fix probably involves upgrading Grouper to get
the ldaptive library instead of vt-ldap, and then configuring it to
use the UnboundID library instead of JNDI.  I doubt that's a practical
option in the short term unless vt-ldap has a similar setting you can tr
y.

- -- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAl6n9AEACgkQlGGnynav
475jfg/+MBOcDzude+AUV98Z9SRZp2JUxLNINAOBHZlk0NZyhq3hbYv9YkW76N9h
/6yV7vITCTQJnJlUJsVqlmCBLBZK2YsngZhVD9Rzn1bVlu2sV4q9DyOhQkuRfQPg
KZ40bXKtzj3Do5/2SBPtjSRfprGgrBShldM+PYqsEiqjwIByhfm969Qj2b9afanj
m7ckHNDZiEf3CUWY+IB1emd7d1wHAjbNAbLWsqotmM74elTv77qC4tJYaCZjsk6S
xKoMpNtIt2XKdoMN+26A/1KHfUZT5IXPxb4x1gtML6g61B/U8H8d9eWeTVZ5RWUu
4miXDBlHllFLV9QplsiuSQlmLaT0rp3RUVAsPRh6sYI7LUOAxN+0Nr6rnzhwsqio
Fe358Ykn7kg7Bh0yevgApJeLxSEkNLIGs0rdkWhznlarJ37hUIPEqT4jRtkYSTyW
KPHJ1N6ok/0PscLvp0X+j87zqAXgCGiRJuhLlW/c3jxkg34ZS0eOMzdxPN3wMpsM
LhBPpNDVARoHqrcBE32s4zPJSoL+kOWj1W6rQ4PtOAwNwzMF1LN0UWG0qwwCCVod
G0w9ZeHZd2WSzyjDXphA/C1IZPfMMgrVzuTRDdmE8Ml2YtsZN4NkZfTz19Dtg9+y
+o9dAFfC+/Wilo/i7oeudMI73aRXQCblGF6JkBIN1IKmn3utfm0=
=auCH
-----END PGP SIGNATURE-----