Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAP timeouts after Java upgrade

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAP timeouts after Java upgrade

Chronological Thread 
  • From: Alex Poulos <>
  • To: Robert Bradley <>
  • Cc:
  • Subject: Re: [grouper-users] LDAP timeouts after Java upgrade
  • Date: Tue, 28 Apr 2020 07:49:05 -0400

We had LDAP issues in 2.3 after switching our directory to OpenLDAP because OpenLDAP was much more aggressive about closing idle connections. This looks different than the error we were getting, if memory serves, but it is at least possible that your directory server is closing idle connections. 

There have been odd bugs related to LDAP in Java 8 and higher, as already noted. Since you hit this problem on updating a JVM I assume that’s what’s going on.

We’ve had much better LDAP performance and stability since moving to a grouper 2.4, where the newer Ldaptive library is used across the board in place of the antique vt-ldap.

FWIW, getting to the point where you can deploy grouper as a container is well worth the effort in the long run, as it makes upgrading pretty easy. It took us several months of effort to move from 2.3 non-container to 2.4 containerized. By contrast, our move from 2.4 to 2.5 has taken just a few days of dev time.

Good luck!

Alex Poulos, PhD
IT Engineer
University of Maryland, College Park

On Tue, Apr 28, 2020 at 5:15 AM Robert Bradley <> wrote:
Hash: SHA512

On 28/04/2020 02:27, Baron Fujimoto wrote:
> We're running Grouper 2.2.2 with LDAP (389DS) as a subject source.
> We were previously using Java 1.0.8_212 successfully. However, I
> recently upgraded the instance to use the current version of Java
> (251), and after doing so noticed that while it initially appears
> to work as expected, the LDAP connections eventually begin to time
> out with the following error:
> javax.naming.NamingException: LDAP response read timed out,
> timeout used:-1ms
> The timeouts start to occur after ~20 minutes. Netstat shows no
> open connections to our LDAP at that point.
> The grouper host is actually a node in a cluster behind a load
> balancer, but our lb admins can't find any relevant ~20 minute
> timeout value there.
> I've empirically determined that this appears to happen with a
> version of Java 8 higher than 221 (i.e. 231, 241, 251). I dodn't
> see anything in the JDK release notes for 231 that appear to be
> relevant.
> <
One thought is that it could be a similar JNDI bug to that described
and  The problem
with that is that the fix probably involves upgrading Grouper to get
the ldaptive library instead of vt-ldap, and then configuring it to
use the UnboundID library instead of JNDI.  I doubt that's a practical
option in the short term unless vt-ldap has a similar setting you can tr

- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford


Archive powered by MHonArc 2.6.19.

Top of Page