AnsweredAssumed Answered

LDAP connection leaks for activiti-rest-webapp

Question asked by gregdavisfromnj on Nov 10, 2015
Latest reply on Mar 18, 2016 by gregdavisfromnj
I've recently started doing some load testing, and am finding that when deployed in Tomcat, and with version 5.17.0, the REST Web Application is leaking LDAP connections when configured to use LDAP authorization.

I've setup a context XML file to configure the application, with the LDAP config parts like this:



<bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
  …
<property name="configurators">
            <list>
                <bean class="org.activiti.ldap.LDAPConfigurator">

                    <!– Server connection params –>
                    <property name="server" value="${ldap.server}"/>
                    <property name="port" value="${ldap.port}"/>
                    <property name="user" value="${ldap.username}"/>
                    <property name="password" value="${ldap.password}"/>

                    <!– Query params –>
                    <property name="baseDn" value="${ldap.baseDn}"/>
                    <property name="queryUserByUserId" value="${ldap.queryUserByUserId}"/>
                    <property name="queryUserByFullNameLike" value="${ldap.queryUserByFullNameLike}"/>
                    <property name="queryGroupsForUser" value="${ldap.queryGroupsForUser}"/>

                    <!– Attribute config –>
                    <property name="userIdAttribute" value="${ldap.userIdAttribute}"/>
                    <property name="userFirstNameAttribute" value="${ldap.userFirstNameAttribute}"/>
                    <property name="userLastNameAttribute" value="${ldap.userLastNameAttribute}"/>

                    <property name="groupIdAttribute" value="${ldap.groupIdAttribute}"/>
                    <property name="groupNameAttribute" value="${ldap.groupNameAttribute}"/>

                    <!– Required for ActiveDirectory –>
                    <property name="customConnectionParameters">
                        <map>
                            <entry key="InitialDirContext" value="Context.REFERRAL"/>
                            <entry key="com.sun.jndi.ldap.connect.pool" value="${ldap.pool.enable}"/>
                            <entry key="com.sun.jndi.ldap.connect.pool.initsize" value="${ldap.pool.initsize}"/>
                            <entry key="com.sun.jndi.ldap.connect.pool.maxsize" value="${ldap.pool.maxsize}"/>
                            <entry key="com.sun.jndi.ldap.connect.pool.prefsize" value="${ldap.pool.prefsize}"/>
                            <entry key="com.sun.jndi.ldap.connect.pool.protocol" value="${ldap.pool.protocol}"/>
                            <entry key="com.sun.jndi.ldap.connect.pool.timeout" value="${ldap.pool.timetoevict}"/>
                        </map>
                    </property>
                </bean>
            </list>
        </property>
  …


And with a properties file like this to source those property values:


… (some omitted properties)…

# connection pooling
ldap.pool.enable=true
ldap.pool.initsize=2
ldap.pool.maxsize=10
ldap.pool.prefsize=4
ldap.pool.protocol=plain ssl
ldap.pool.timetoevict=180000


The trouble is, after a while, I exceed the open file descriptor limit.  I can set the limit higher and higher, but eventually Tomcat just crashes.  I tried to use LDAP pooling to put a cap on the open connections, and to close the unused ones.  But, those pooling settings aren't having any effect.  I can see that the LDAP connections are leaking by finding the PID of tomcat, and using "lsof".  The connections will grow slightly through the ulimit I set (currently 16384).  For example, "sudo lsof -p 12345 | grep ldap | wc -l" will grow from 1 to 16xxx.

I don't see why the LDAP connections are not being closed.  But if they aren't manually closed, I expect the pool timeout value should close the idle connections and control the growth.  But, the connections are not closed, in any event.

Oh yeah, I am using ActiveDirectory as the LDAP server.  It properly authenticates, and I have a custom RestAuthenticator (extended from BasicAuthenticationProvider) that just matches the username against a property to authorize access.  Was something changed on BasicAuthenticationProvider or RestAuthenticator that requires closing the LDAP context manually somehow in any custom implementation?

Outcomes