Alfresco Share & Ldap Auth (Many attempts to login)

aballesteg — Tue, 13 May 2014 15:15:59 GMT

I've been using Alfresco 4.2e CE and works fine, I made LDAP Authentication only integration (not synchronization, I create users manually), It works really fine, but I have a trouble, when Alfresco doesn't have activity for many time and users try to login with LDAP credentials by Alfresco Share, A

Re: Alfresco Share & Ldap Auth (Many attempts to login)

jpotts — Tue, 13 May 2014 18:20:38 GMT

The ldap.synchronization.java.naming.security.principal should be the dn of an account that can bind and read user and group information. Yours is set to wpsbind. Is that what you intend? I use Apache DS but mine looks like uid=admin,ou=system.

Also, your search base settings for users and groups looks a little suspicious. Do you really have all of your users and groups under O=LotusD?

Finally, you don't have a username format set so Alfresco will use the person query and userID attribute name to find the user in LDAP to authenticate with. You should be able to use a command line tool or something like the Apache Directory Studio Eclipse Plug-In to verify that you can bind with your directory using that uid and person query. If you can't do it with a third party tool, Alfresco won't be able to do it.

Jeff

Re: Alfresco Share & Ldap Auth (Many attempts to login)

jpotts — Thu, 15 May 2014 13:42:11 GMT

I think it would be a good idea to upgrade your JDK to try to remove that from the equation.

Regarding optimizing your LDAP search, here is an idea. Is this a test server? If so, find a more specific user search for Alejandro Ballesteros. For example, instead of O=LotusD maybe it is ou=Technology,ou=Southwest,o=LotusD. The idea is to narrow it as far as possible. Then change your LDAP config to point to the more specific user search base. Then re-test. If you get fewer or no timeouts, you can conclude that your broad search base is the problem. If it doesn't make a difference you can focus your attention elsewhere.

Another idea is to try to remove Alfresco from the picture. For example, if you use a command line tool to bind (or a script) can you repeatedly bind without getting timeouts? If you still get timeouts you know it isn't Alfresco and is instead something with your LDAP server or your network. If you no longer get timeouts then you can focus on Alfresco config/code.

Jeff

Re: Alfresco Share & Ldap Auth (Many attempts to login)

aballesteg — Thu, 15 May 2014 15:55:59 GMT

Thanks for your answer Jeff:

As I said, I'm using Lotus Domino LDAP, honestly for me,this is a complex LDAP server because it's used by Lotus Apps and create their own object structured, very complex in my opinion, for example, create users in many differents DN locations, so I have to set "search base" on the top (O=LotusD), this ldap has almost 15,000 users with some differents username formats and locations, so I have to search through all ldap objects.

wpsbind is the account to bind users and groups, I used ldapsearch command to test searching users and works fine.

Finally I could debug the exception about this problem:

2014-05-14 09:19:27,656 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-1] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:41,701 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-10] Authenticating user "alejandro.ballesteros"
2014-05-14 09:22:41,718 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-10] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:41,718 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-10] User "alejandro.ballesteros" authenticated successfully
2014-05-14 09:22:41,749 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-5] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:41,811 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-6] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:41,828 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-4] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:41,835 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-7] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,273 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-2] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,310 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-3] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,310 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-9] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,339 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-1] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,376 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-10] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,401 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-5] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,421 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-8] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,440 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-6] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,600 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-4] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,609 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-7] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:42,616 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-2] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:22:44,236 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-3] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:45,499 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-7] Authenticating user "alejandro.ballesteros"
2014-05-14 09:50:45,501 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-7] Failed to authenticate user "alejandro.ballesteros"
org.alfresco.repo.security.authentication.AuthenticationException: 04140199 Unable to search LDAP. Reason LDAP response read timed out, timeout used:300000ms.
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.resolveDistinguishedName(LDAPUserRegistry.java:1006)
at org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl.authenticateImpl(LDAPAuthenticationComponentImpl.java:121)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:162)
at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:68)
at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:195)
at sun.reflect.GeneratedMethodAccessor743.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:46)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.alfresco.repo.audit.AuditMethodInterceptor.proceedWithAudit(AuditMethodInterceptor.java:247)
at org.alfresco.repo.audit.AuditMethodInterceptor.proceed(AuditMethodInterceptor.java:213)
at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy63.authenticate(Unknown Source)
at org.alfresco.repo.web.scripts.bean.AbstractLoginBean.login(AbstractLoginBean.java:66)
at org.alfresco.repo.web.scripts.bean.LoginPost.executeImpl(LoginPost.java:72)
at org.springframework.extensions.webscripts.DeclarativeWebScript.executeImpl(DeclarativeWebScript.java:235)
at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:64)
at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:422)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:452)
at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:491)
at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:529)
at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:268)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:378)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1810)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:300000ms.; remaining name 'O=LotusD'
at com.sun.jndi.ldap.Connection.readReply(Connection.java:481)
at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:631)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:554)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.resolveDistinguishedName(LDAPUserRegistry.java:958)
… 54 more

2014-05-14 09:50:49,688 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-3] Authenticating user "alejandro.ballesteros"
2014-05-14 09:50:49,719 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-3] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:49,719 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-3] User "alejandro.ballesteros" authenticated successfully
2014-05-14 09:50:49,758 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-9] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:49,818 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-10] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:49,835 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-5] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:49,842 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-8] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,074 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-4] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,074 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-6] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,107 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-7] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,122 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-2] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,158 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-3] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,189 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-9] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,204 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-1] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,242 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-10] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,245 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-5] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,453 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-8] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,582 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-6] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,592 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-4] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:50:50,605 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-2] Setting the current user to "alejandro.ballesteros"
2014-05-14 09:51:04,183 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-apr-8080-exec-7] Setting the current user to "alejandro.ballesteros"

As you can see, works normally, spend many time and suddenly authentication failed many times and then, works perfectly and normal.

I googled it (javax.naming.NamingException: LDAP response read timed out, timeout used:300000ms.; remaining name ) and some sites say that is a java bug, but I really don't think so.

I have a couple of deductions:

1.- Maybe it's a bug, so I have to upgrade jre to the last versión or find fixes (1.7.0_51)
2.- Maybe I need other params to optimize ldap searches (I don't know what others)
3.- Maybe the ldap server rejects a lot of searches or connections (I'm not sure really)

What do you think?
With this kind of ldap server, is there another way to optimize searches?

Best regards!

Re: Alfresco Share & Ldap Auth (Many attempts to login)

aballesteg — Wed, 28 May 2014 19:35:22 GMT

Thank u Jeff!

I upgrade java and the problem is gone!

Now my alfresco works fine!

topic Re: Alfresco Share & Ldap Auth (Many attempts to login) in Alfresco Archive

Alfresco Share & Ldap Auth (Many attempts to login)

Re: Alfresco Share & Ldap Auth (Many attempts to login)

Re: Alfresco Share & Ldap Auth (Many attempts to login)

Re: Alfresco Share & Ldap Auth (Many attempts to login)

Re: Alfresco Share & Ldap Auth (Many attempts to login)