openldap behind firewall
Ames, Phillip
phil.ames at uconn.edu
Fri Feb 22 09:26:49 EST 2008
Can you verify that it is a session timeout that is causing the disconnect problem? Is the connection between the CAS server and the LDAP server idle for a very long time, and the next person that attempts to log in causes the error you have provided?
You can determine this by using tcpdump or some other packet capture utility on the systems involved. Ideally you should be able to sniff both sides, but depending on whether or not you manage both systems, that may not be possible.
I am not familiar enough with Java's LDAP libraries to say whether or not you can configure the CAS server to use keepalives.
-Phil
-----Original Message-----
From: cas-bounces at tp.its.yale.edu on behalf of Tarik Arrad
Sent: Fri 2/22/2008 8:03 AM
To: Yale CAS mailing list
Subject: Re: openldap behind firewall
the firewall is statuful, is there any special configuration to do on cas
server or openldap?
2008/2/22, Tarik Arrad <t.arrad at gmail.com>:
>
> Thanks Phil i will check the logfile of the firewall (checkpoint).
>
> 2008/2/22, Ames, Phillip <phil.ames at uconn.edu>:
> >
> > Is your firewall stateful? Does CAS open a persistent LDAP
> > connection? If so, and it does not send any data through that connection
> > for 'N' seconds where 'N' is the maximum idle time (when no packets are
> > sent) before your firewall removes that session from its session table, you
> > could be seeing a session expiration issue. The resulting effect would be
> > that the firewall would drop all packets sent after 'N' idle seconds since
> > it cannot find that session in its session table. CAS would need to
> > reconnect to the LDAP server (going through the whole TCP 3-way handshake).
> >
> > In short, check your firewall logs to see if anything shows up involving
> > the CAS server and your LDAP server.
> >
> > -Phil
> >
> >
> > -----Original Message-----
> > From: cas-bounces at tp.its.yale.edu on behalf of Tarik Arrad
> > Sent: Thu 2/21/2008 5:08 PM
> > To: cas at tp.its.yale.edu
> > Subject: openldap behind firewall
> >
> > Hi all,
> > i have a problem with my cas authentication, on my architecture i have 2
> > cas
> > server 3.1 as front-end and 2 openldap server as back-end behind a
> > firewall,
> > everything works fine but from time to time i have this error message :
> >
> > **
> > *exception*
> >
> > org.springframework.web.util.NestedServletException: Request
> > processing failed; nested exception is
> > org.springframework.webflow.engine.ActionExecutionException: Exception
> > thrown executing [AnnotatedAction at 3ab6f7f5 targetAction =
> > org.jasig.cas.web.flow.AuthenticationViaFormAction at 51af4309,
> > attributes = map['method' -> 'submit']] in state 'submit' of flow
> > 'login-webflow' -- action execution attributes were 'map['method' ->
> > 'submit']'; nested exception is
> > org.springframework.ldap.UncategorizedLdapException: Operation failed;
> > nested exception is javax.naming.ServiceUnavailableException:
> > 10.127.11.12:389; socket closed; remaining name 'dc=mooja,dc=ma'
> > org.springframework.web.servlet.FrameworkServlet.processRequest(
> > FrameworkServlet.java:487)
> > org.springframework.web.servlet.FrameworkServlet.doPost(
> > FrameworkServlet.java:440)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> > org.jasig.cas.web.init.SafeDispatcherServlet.service(
> > SafeDispatcherServlet.java:115)
> >
> > *cause mère*
> >
> > org.springframework.webflow.engine.ActionExecutionException: Exception
> > thrown executing [AnnotatedAction at 3ab6f7f5 targetAction =
> > org.jasig.cas.web.flow.AuthenticationViaFormAction at 51af4309,
> > attributes = map['method' -> 'submit']] in state 'submit' of flow
> > 'login-webflow' -- action execution attributes were 'map['method' ->
> > 'submit']'; nested exception is
> > org.springframework.ldap.UncategorizedLdapException: Operation failed;
> > nested exception is javax.naming.ServiceUnavailableException:
> > 10.127.11.12:389; socket closed; remaining name 'dc=mooja,dc=ma'
> > org.springframework.webflow.engine.ActionExecutor.execute(
> > ActionExecutor.java:68)
> > org.springframework.webflow.engine.ActionState.doEnter(
> > ActionState.java:180)
> > org.springframework.webflow.engine.State.enter(State.java:200)
> > org.springframework.webflow.engine.Transition.execute(
> > Transition.java:229)
> > org.springframework.webflow.engine.TransitionableState.onEvent(
> > TransitionableState.java:112)
> > org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java:208)
> > org.springframework.webflow.engine.ActionState.doEnter(
> > ActionState.java:185)
> > org.springframework.webflow.engine.State.enter(State.java:200)
> > org.springframework.webflow.engine.Transition.execute(
> > Transition.java:229)
> > org.springframework.webflow.engine.TransitionableState.onEvent(
> > TransitionableState.java:112)
> > org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java:208)
> >
> > org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(
> > FlowExecutionImpl.java:214)
> > org.springframework.webflow.executor.FlowExecutorImpl.resume(
> > FlowExecutorImpl.java:245)
> >
> > org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest
> > (FlowRequestHandler.java:115)
> >
> > org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal
> > (FlowController.java:172)
> >
> > org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> > AbstractController.java:153)
> >
> > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle
> > (SimpleControllerHandlerAdapter.java:48)
> > org.springframework.web.servlet.DispatcherServlet.doDispatch(
> > DispatcherServlet.java:857)
> > org.springframework.web.servlet.DispatcherServlet.doService(
> > DispatcherServlet.java:792)
> > org.springframework.web.servlet.FrameworkServlet.processRequest(
> > FrameworkServlet.java:475)
> > org.springframework.web.servlet.FrameworkServlet.doPost(
> > FrameworkServlet.java:440)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> > org.jasig.cas.web.init.SafeDispatcherServlet.service(
> > SafeDispatcherServlet.java:115)
> >
> > *cause mère*
> >
> > org.springframework.ldap.UncategorizedLdapException: Operation failed;
> > nested exception is javax.naming.ServiceUnavailableException:
> > 10.127.11.12:389; socket closed; remaining name 'dc=mooja,dc=ma'
> >
> > org.springframework.ldap.DefaultNamingExceptionTranslator.translate(
> > DefaultNamingExceptionTranslator.java:93)
> > org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> > :287)
> > org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> > :314)
> >
> > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal
> > (BindLdapAuthenticationHandler.java:67)
> >
> > org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication
> > (AbstractUsernamePasswordAuthenticationHandler.java:56)
> >
> > org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate
> > (AbstractPreAndPostProcessingAuthenticationHandler.java:58)
> >
> > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> > AuthenticationManagerImpl.java:84)
> >
> > org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket
> > (CentralAuthenticationServiceImpl.java:383)
> > org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(
> > AuthenticationViaFormAction.java:107)
> > sun.reflect.GeneratedMethodAccessor60.invoke(Unknown Source)
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:25)
> > java.lang.reflect.Method.invoke(Method.java:597)
> > org.springframework.webflow.util.DispatchMethodInvoker.invoke(
> > DispatchMethodInvoker.java:103)
> > org.springframework.webflow.action.MultiAction.doExecute(
> > MultiAction.java:136)
> > org.springframework.webflow.action.AbstractAction.execute(
> > AbstractAction.java:203)
> > org.springframework.webflow.engine.AnnotatedAction.execute(
> > AnnotatedAction.java:142)
> > org.springframework.webflow.engine.ActionExecutor.execute(
> > ActionExecutor.java:61)
> > org.springframework.webflow.engine.ActionState.doEnter(
> > ActionState.java:180)
> > org.springframework.webflow.engine.State.enter(State.java:200)
> > org.springframework.webflow.engine.Transition.execute(
> > Transition.java:229)
> > org.springframework.webflow.engine.TransitionableState.onEvent(
> > TransitionableState.java:112)
> > org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java:208)
> > org.springframework.webflow.engine.ActionState.doEnter(
> > ActionState.java:185)
> > org.springframework.webflow.engine.State.enter(State.java:200)
> > org.springframework.webflow.engine.Transition.execute(
> > Transition.java:229)
> > org.springframework.webflow.engine.TransitionableState.onEvent(
> > TransitionableState.java:112)
> > org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java:208)
> >
> > org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(
> > FlowExecutionImpl.java:214)
> > org.springframework.webflow.executor.FlowExecutorImpl.resume(
> > FlowExecutorImpl.java:245)
> >
> > org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest
> > (FlowRequestHandler.java:115)
> >
> > org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal
> > (FlowController.java:172)
> >
> > org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> > AbstractController.java:153)
> >
> > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle
> > (SimpleControllerHandlerAdapter.java:48)
> > org.springframework.web.servlet.DispatcherServlet.doDispatch(
> > DispatcherServlet.java:857)
> > org.springframework.web.servlet.DispatcherServlet.doService(
> > DispatcherServlet.java:792)
> > org.springframework.web.servlet.FrameworkServlet.processRequest(
> > FrameworkServlet.java:475)
> > org.springframework.web.servlet.FrameworkServlet.doPost(
> > FrameworkServlet.java:440)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> > org.jasig.cas.web.init.SafeDispatcherServlet.service(
> > SafeDispatcherServlet.java:115)
> >
> > *cause mère*
> >
> > javax.naming.ServiceUnavailableException: 10.127.11.12:389; socket
> > closed; remaining name 'dc=mooja,dc=ma'
> > com.sun.jndi.ldap.Connection.readReply(Connection.java:416)
> > com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:611)
> > com.sun.jndi.ldap.LdapClient.search(LdapClient.java:534)
> > com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1948)
> > com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1810)
> > com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735)
> > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(
> > ComponentDirContext.java:368)
> > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(
> > PartialCompositeDirContext.java:338)
> > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(
> > PartialCompositeDirContext.java:321)
> > javax.naming.directory.InitialDirContext.search(
> > InitialDirContext.java:248)
> >
> > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler$1.executeSearch
> > (BindLdapAuthenticationHandler.java:71)
> > org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> > :268)
> > org.springframework.ldap.LdapTemplate.search(LdapTemplate.java
> > :314)
> >
> > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticateUsernamePasswordInternal
> > (BindLdapAuthenticationHandler.java:67)
> >
> > org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication
> > (AbstractUsernamePasswordAuthenticationHandler.java:56)
> >
> > org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate
> > (AbstractPreAndPostProcessingAuthenticationHandler.java:58)
> >
> > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> > AuthenticationManagerImpl.java:84)
> >
> > org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket
> > (CentralAuthenticationServiceImpl.java:383)
> > org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(
> > AuthenticationViaFormAction.java:107)
> > sun.reflect.GeneratedMethodAccessor60.invoke(Unknown Source)
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:25)
> > java.lang.reflect.Method.invoke(Method.java:597)
> > org.springframework.webflow.util.DispatchMethodInvoker.invoke(
> > DispatchMethodInvoker.java:103)
> > org.springframework.webflow.action.MultiAction.doExecute(
> > MultiAction.java:136)
> > org.springframework.webflow.action.AbstractAction.execute(
> > AbstractAction.java:203)
> > org.springframework.webflow.engine.AnnotatedAction.execute(
> > AnnotatedAction.java:142)
> > org.springframework.webflow.engine.ActionExecutor.execute(
> > ActionExecutor.java:61)
> > org.springframework.webflow.engine.ActionState.doEnter(
> > ActionState.java:180)
> > org.springframework.webflow.engine.State.enter(State.java:200)
> > org.springframework.webflow.engine.Transition.execute(
> > Transition.java:229)
> > org.springframework.webflow.engine.TransitionableState.onEvent(
> > TransitionableState.java:112)
> > org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java:208)
> > org.springframework.webflow.engine.ActionState.doEnter(
> > ActionState.java:185)
> > org.springframework.webflow.engine.State.enter(State.java:200)
> > org.springframework.webflow.engine.Transition.execute(
> > Transition.java:229)
> > org.springframework.webflow.engine.TransitionableState.onEvent(
> > TransitionableState.java:112)
> > org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java:208)
> >
> > org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(
> > FlowExecutionImpl.java:214)
> > org.springframework.webflow.executor.FlowExecutorImpl.resume(
> > FlowExecutorImpl.java:245)
> >
> > org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest
> > (FlowRequestHandler.java:115)
> >
> > org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal
> > (FlowController.java:172)
> >
> > org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> > AbstractController.java:153)
> >
> > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle
> > (SimpleControllerHandlerAdapter.java:48)
> > org.springframework.web.servlet.DispatcherServlet.doDispatch(
> > DispatcherServlet.java:857)
> > org.springframework.web.servlet.DispatcherServlet.doService(
> > DispatcherServlet.java:792)
> > org.springframework.web.servlet.FrameworkServlet.processRequest(
> > FrameworkServlet.java:475)
> > org.springframework.web.servlet.FrameworkServlet.doPost(
> > FrameworkServlet.java:440)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> > org.jasig.cas.web.init.SafeDispatcherServlet.service(
> > SafeDispatcherServlet.java:115)
> >
> > I need your help
> > Thanks.
> >
> > Tarik Arrad
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 7865 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080222/bb70a00d/attachment.bin
More information about the cas
mailing list