Grouper Users - Open Discussion List

[Alex Poulos <>]

We had LDAP issues in 2.3 after switching our directory to OpenLDAP because OpenLDAP was much more aggressive about closing idle connections. This looks different than the error we were getting, if memory serves, but it is at least possible that your directory server is closing idle connections. 

There have been odd bugs related to LDAP in Java 8 and higher, as already noted. Since you hit this problem on updating a JVM I assume that’s what’s going on.

We’ve had much better LDAP performance and stability since moving to a grouper 2.4, where the newer Ldaptive library is used across the board in place of the antique vt-ldap.

FWIW, getting to the point where you can deploy grouper as a container is well worth the effort in the long run, as it makes upgrading pretty easy. It took us several months of effort to move from 2.3 non-container to 2.4 containerized. By contrast, our move from 2.4 to 2.5 has taken just a few days of dev time.

Good luck!

Alex Poulos, PhD

IT Engineer

University of Maryland, College Park

On Tue, Apr 28, 2020 at 5:15 AM Robert Bradley <> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 28/04/2020 02:27, Baron Fujimoto wrote:
> We're running Grouper 2.2.2 with LDAP (389DS) as a subject source.
> We were previously using Java 1.0.8_212 successfully. However, I
> recently upgraded the instance to use the current version of Java
> (251), and after doing so noticed that while it initially appears
> to work as expected, the LDAP connections eventually begin to time
> out with the following error:
>
> javax.naming.NamingException: LDAP response read timed out,
> timeout used:-1ms
>
> The timeouts start to occur after ~20 minutes. Netstat shows no
> open connections to our LDAP at that point.
>
> The grouper host is actually a node in a cluster behind a load
> balancer, but our lb admins can't find any relevant ~20 minute
> timeout value there.
>
> I've empirically determined that this appears to happen with a
> version of Java 8 higher than 221 (i.e. 231, 241, 251). I dodn't
> see anything in the JDK release notes for 231 that appear to be
> relevant.
> <https://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.ht
ml>
>
>
One thought is that it could be a similar JNDI bug to that described
in https://wiki.shibboleth.net/confluence/display/IDP30/LDAPonJava%3E8
and https://issues.shibboleth.net/jira/browse/IDP-1441.  The problem
with that is that the fix probably involves upgrading Grouper to get
the ldaptive library instead of vt-ldap, and then configuring it to
use the UnboundID library instead of JNDI.  I doubt that's a practical
option in the short term unless vt-ldap has a similar setting you can tr
y.

- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAl6n9AEACgkQlGGnynav
475jfg/+MBOcDzude+AUV98Z9SRZp2JUxLNINAOBHZlk0NZyhq3hbYv9YkW76N9h
/6yV7vITCTQJnJlUJsVqlmCBLBZK2YsngZhVD9Rzn1bVlu2sV4q9DyOhQkuRfQPg
KZ40bXKtzj3Do5/2SBPtjSRfprGgrBShldM+PYqsEiqjwIByhfm969Qj2b9afanj
m7ckHNDZiEf3CUWY+IB1emd7d1wHAjbNAbLWsqotmM74elTv77qC4tJYaCZjsk6S
xKoMpNtIt2XKdoMN+26A/1KHfUZT5IXPxb4x1gtML6g61B/U8H8d9eWeTVZ5RWUu
4miXDBlHllFLV9QplsiuSQlmLaT0rp3RUVAsPRh6sYI7LUOAxN+0Nr6rnzhwsqio
Fe358Ykn7kg7Bh0yevgApJeLxSEkNLIGs0rdkWhznlarJ37hUIPEqT4jRtkYSTyW
KPHJ1N6ok/0PscLvp0X+j87zqAXgCGiRJuhLlW/c3jxkg34ZS0eOMzdxPN3wMpsM
LhBPpNDVARoHqrcBE32s4zPJSoL+kOWj1W6rQ4PtOAwNwzMF1LN0UWG0qwwCCVod
G0w9ZeHZd2WSzyjDXphA/C1IZPfMMgrVzuTRDdmE8Ml2YtsZN4NkZfTz19Dtg9+y
+o9dAFfC+/Wilo/i7oeudMI73aRXQCblGF6JkBIN1IKmn3utfm0=
=auCH
-----END PGP SIGNATURE-----