Uploaded image for project: 'LDAP'
  1. LDAP
  2. LDAP-149

Members as "contact" object - BLOCKED thread

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 9.15.3, 9.15.5
    • None
    • None
    • Unknown

    Description

      We have configured user authentication an group mapping unsing LDAP.
      The LDAP is configured against a Windows Active Directory.

      After adding a new LDAP group in xwiki.authentication.ldap.group_mapping we have a strange behavior of our installation.
      After a while, a user login in XWiki is no longer possible.

      We have a special case with that group:

      In Windows Active Directory, one of the group members is not a regular "user" object, but a "contact" object.
      Differences between user and concact object are explained for example an this site: https://techdirectarchive.com/2020/04/09/difference-between-a-contact-and-a-user-object/
      We need that contact entry for other purpose besides XWiki, it should be ignored on XWiki side.

      This problem occurs after restarting Tomcat after a while.

      We found a log message on our reverse proxy (Apache httpd) ahead of XWiki:

      [mpm_winnt:error] [pid 7576:tid 2836] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting

      We tried to investigate the problem with a Java stack trace and found a BLOCKED thread, that holds a lock.
      It seems this lock blocks all other threads regarding LDAP authentication, leading to exhaustion of available threads to serve requests on the reverse proxy.

      As soon as we remove the contact from the group and restart XWiki, the problem is gone.

      The complete LDAP config and the jstack evaluation are attached.

      Extract from:
      LDAP mapping:

      [...]
XWiki.testGroup=CN=testGroup,OU=_Security,OU=_Groups,DC=xx-xxxx,DC=com|
[...]

      jstack evaluation:

      [...]
"http-nio-8080-exec-2 - http://wiki.xx-xxxx.com/xwiki/bin/view/Dashboard/" #54 daemon prio=5 os_prio=0 cpu=203.13ms elapsed=1996.40s tid=0x0000023f7e98d000 nid=0x1fe4 waiting for monitor entry  [0x0000007b01dbc000]
   java.lang.Thread.State: BLOCKED (on object monitor)
	at org.xwiki.contrib.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:828)
	- waiting to lock <0x00000000929505d8> (a org.xwiki.cache.infinispan.internal.InfinispanCache)
	at org.xwiki.contrib.ldap.XWikiLDAPUtils.isInGroup(XWikiLDAPUtils.java:994)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:600)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:307)
	at com.xpn.xwiki.user.impl.xwiki.MyBasicAuthenticator.authenticate(MyBasicAuthenticator.java:209)
	at com.xpn.xwiki.user.impl.xwiki.MyBasicAuthenticator.checkLogin(MyBasicAuthenticator.java:118)
	at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:132)
	at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:201)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:167)
	at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4366)
	at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:238)
	at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:268)
	at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4389)
	at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5775)
	at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:548)
	at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
	at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:388)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
	at java.lang.Thread.run(java.base@11.0.15/Thread.java:829)

   Locked ownable synchronizers:
	- <0x0000000087480c38> (a org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker)
	- <0x000000009ad0a8d8> (a java.util.concurrent.locks.ReentrantLock$NonfairSync)
[...]

      Attachments

        Activity

          People

            Unassigned Unassigned
            Wiking Mario
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: