Sometime xwiki is blocked by LDAP connection

kirbyzhou · May 18, 2018, 7:23am

I use ldap to auth my users.
But sometimes, xwiki is blocked by ldap, timeout seems no effect.
When it be blocked.
I can see a lot of connections to LDAP server by “netstat -n | fgrep :389”

]# netstat -n | fgrep :389
tcp        0      0 ::ffff:10.134.74.202:57712  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57511  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57764  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57633  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57577  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57579  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57763  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57509  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57597  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57607  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57625  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57714  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57678  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57694  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57609  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57513  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57545  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57781  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57780  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57647  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57601  ::ffff:10.134.100.225:389   ESTABLISHED 
tcp        0      0 ::ffff:10.134.74.202:57599  ::ffff:10.134.100.225:389   ESTABLISHED

And jstack shows a lot of thread is hold on LDAP releated things:

"Thread-17398" #17509 daemon prio=5 os_prio=0 tid=0x00007f469c001800 nid=0x1514 runnable [0x00007f468a093000]
   java.lang.Thread.State: RUNNABLE
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
        at java.net.SocketInputStream.read(SocketInputStream.java:170)
        at java.net.SocketInputStream.read(SocketInputStream.java:141)
        at java.net.SocketInputStream.read(SocketInputStream.java:223)
        at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)
        at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:745)

"Thread-17393" #17504 daemon prio=5 os_prio=0 tid=0x00007f46802bc800 nid=0x14f0 runnable [0x00007f46a0944000]
   java.lang.Thread.State: RUNNABLE
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
        at java.net.SocketInputStream.read(SocketInputStream.java:170)
        at java.net.SocketInputStream.read(SocketInputStream.java:141)
        at java.net.SocketInputStream.read(SocketInputStream.java:223)
        at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)
        at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:745)

"http://xwiki.sogou-inc.com/xwiki/bin/loginsubmit/XWiki/XWikiLogin" #17499 daemon prio=5 os_prio=0 tid=0x00007f4658026000 nid=0xf20 waiting for monitor entry [0x00007f46a13fb000]
   java.lang.Thread.State: BLOCKED (on object monitor)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:777)
        - waiting to lock <0x00000006b1428100> (a org.xwiki.cache.infinispan.internal.InfinispanCache)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.isMemberOfGroup(XWikiLDAPUtils.java:815)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.isMemberOfGroups(XWikiLDAPUtils.java:841)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.syncGroupsMembership(XWikiLDAPUtils.java:1048)
        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:499)
....
"Thread-17388" #17493 daemon prio=5 os_prio=0 tid=0x00007f4678025000 nid=0xeec runnable [0x00007f46a0df8000]
   java.lang.Thread.State: RUNNABLE
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
        at java.net.SocketInputStream.read(SocketInputStream.java:170)
        at java.net.SocketInputStream.read(SocketInputStream.java:141)
        at java.net.SocketInputStream.read(SocketInputStream.java:223)
        at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)
        at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:745)
...

But ldapsearch command line util can work with the same LDAP server very fast.

]# ldapsearch -D kirbyzhou@sogou-inc.com -W CN=web_pm_all -H ldap://10.134.45.215 CN

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=sogou-inc,dc=com> (default) with scope subtree
# filter: CN=web_pm_all
# requesting: CN 
#

# web_pm_all, maillist, Sogou, sogou-inc.com
dn: CN=web_pm_all,OU=maillist,OU=Sogou,DC=sogou-inc,DC=com
cn: web_pm_all

# search reference
ref: ldap://ForestDnsZones.sogou-inc.com/DC=ForestDnsZones,DC=sogou-inc,DC=com

# search reference
ref: ldap://DomainDnsZones.sogou-inc.com/DC=DomainDnsZones,DC=sogou-inc,DC=com

# search reference
ref: ldap://sogou-inc.com/CN=Configuration,DC=sogou-inc,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

The only solution I can do now is to restart the xwiki tomcat process.
Anyone can help me to find out the real solution?

XWiki-7.4.3
Centos-6
java-1.8.0-oracle-1.8.0.45

tmortagne · May 18, 2018, 7:47am

Are you sure it’s stuck ?

A known limitation is that if you have huge groups the first authentication will take a while because it’s loading the group members and put them in a cache (it also means the first auth after the cache has expired, you can control this using xwiki.authentication.ldap.groupcache_expiration property). You can sometimes reduce substantially the number of LDAP requests required to load group members using xwiki.authentication.ldap.group_sync_resolve_subgroups if you know none of your LDAP groups contains other groups.

Also in general try to avoid things like mapping a LDAP group which containg all your users since users are automatically added to XWikiAllGroup already (you can modify the group where new users should be automatically added using xwiki.users.initialGroups property in xwiki.cfg file in which case you should enabled xwiki.authentication.group.allgroupimplicit).

kirbyzhou · May 18, 2018, 7:58am

How big a group is huge? My org is less than 1000 person.
The biggest group is 666.
medical_all | 21 |
search_all | 666 |
web_pm_all | 83 |
XWikiAllGroup | 753 |

I tried to get group info manually by ‘ldapsearch’, it is very fast, less than 200ms.

]# time ldapsearch -D … -w … CN=search_fulltime -H
ldap://10.134.45.215 > /dev/null

real 0m0.017s
user 0m0.000s
sys 0m0.003s

I think it is stuck.
The stuck situation happens and hold hours until I restart TOMCAT.

I have jstack and netstat log per minute.
Since about 14:15, the xwiki begins stuck, and never recover until 15:10, I restart xwiki

]# fgrep 'com.novell.ldap.asn1.ASN1Identifier.<init>' * | uniq  -c
|1 10:28:48.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|---|---|
|      1 10:46:10.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:10:19.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:11:04.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:11:49.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:12:34.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:13:20.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:14:05.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:14:50.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:15:36.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:16:21.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:17:06.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:17:51.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:18:37.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:19:22.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:20:07.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:20:52.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:21:38.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:22:23.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:23:08.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:23:54.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 11:41:15.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 11:56:21.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 11:57:06.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 11:57:51.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 11:58:36.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 11:59:22.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:00:07.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:00:52.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 12:01:37.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:02:23.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:03:08.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:03:53.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:04:38.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:05:24.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:06:09.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:06:54.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:07:40.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      4 12:08:25.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      4 12:09:10.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      4 12:09:55.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:10:41.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:11:26.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:12:11.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:12:57.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:13:42.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:14:27.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:15:12.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 12:15:58.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 12:16:43.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:17:28.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:18:13.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:18:59.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:19:44.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:20:29.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:21:14.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:22:00.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:22:45.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:23:30.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:24:16.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:25:01.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:25:46.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:26:31.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:27:17.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:28:02.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:28:47.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:29:33.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:30:18.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:31:03.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 12:31:49.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:13:19.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:14:04.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:14:49.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:15:35.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:16:20.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:17:05.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:17:51.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:18:36.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:19:21.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:20:06.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:20:52.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:21:37.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:22:22.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:23:07.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:23:53.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:24:38.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:25:23.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:26:09.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:26:54.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:27:39.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:48:01.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:48:47.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:49:32.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:50:17.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:51:03.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:51:48.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:52:33.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:53:18.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:54:04.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:54:49.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:55:34.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:56:20.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:57:05.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:57:50.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:58:36.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 13:59:21.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 14:00:06.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 14:00:52.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 14:01:37.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 14:02:22.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      1 14:03:53.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 14:04:38.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 14:05:23.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 14:06:09.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 14:06:54.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 14:07:39.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      4 14:08:24.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:09:10.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:09:55.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:10:40.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:11:26.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:12:11.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:12:56.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:13:41.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      6 14:14:27.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      8 14:15:12.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     10 14:15:57.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     10 14:16:43.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     10 14:17:28.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     10 14:18:13.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      9 14:18:59.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      8 14:19:44.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      8 14:20:29.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      8 14:21:14.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      7 14:22:00.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      6 14:22:45.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      6 14:23:30.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      7 14:24:16.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     10 14:25:01.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     11 14:25:46.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     11 14:26:32.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     13 14:27:17.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     13 14:28:02.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     13 14:28:48.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     13 14:29:33.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     11 14:30:18.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     12 14:31:04.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     14 14:31:49.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     15 14:32:34.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     16 14:33:19.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     19 14:34:05.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     21 14:34:50.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     22 14:35:36.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     22 14:36:21.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     22 14:37:06.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     21 14:37:51.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     21 14:38:37.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     21 14:39:22.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     18 14:40:07.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     19 14:40:53.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     19 14:41:38.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     17 14:42:23.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     17 14:43:09.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     15 14:43:54.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     15 14:44:39.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     14 14:45:25.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     13 14:46:10.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     10 14:46:55.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     10 14:47:41.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      9 14:48:26.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      7 14:49:11.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 14:49:56.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 14:50:42.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 14:51:27.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      3 14:52:12.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 14:52:58.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      2 14:53:43.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      7 14:54:28.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      7 14:55:14.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:55:59.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      5 14:56:44.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      6 14:57:30.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      6 14:58:15.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|      8 14:59:00.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     12 14:59:45.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     14 15:00:31.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     15 15:01:16.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     16 15:02:01.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     17 15:02:47.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     17 15:03:32.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     19 15:04:17.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     20 15:05:03.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     20 15:05:48.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     20 15:06:33.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     20 15:07:19.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     22 15:08:04.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     21 15:08:49.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     19 15:09:35.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|
|     21 15:10:20.txt:|at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)|

tmortagne · May 18, 2018, 8:47am

I tried to get group info manually by ‘ldapsearch’, it is very fast, less than 200ms.

It’s not just getting one group entry. The authenticator want to get the DN of all the members of a group recursively so it depends if your group contains DN or uids (in which case it need to search for the DN for each of them) and also if you enabled subgroup support or not (the xwiki.authentication.ldap.group_sync_resolve_subgroups property I mentioned).

The stuck situation happens and hold hours until I restart TOMCAT.

hours definitely sounds a lot yes but I never got any report of the LDAP authenticator being stuck while loading group members. Not an easy thing to fix without debugging in step by step.

I would start by setting xwiki.authentication.ldap.group_sync_resolve_subgroups to 0 to see if it helps.

kirbyzhou · May 18, 2018, 9:57am

Maybe it works
But my group actually contains sub groups, and the number is not very high.
At most 10 sub groups (recursive).
LDAP admin is not me, I can not change the policy.

If you mean that ldap will check all member DN (both user and sub group), is there any setting can add a filter to identify group DN?
All my groups is under path “OU=maillist,OU=Sogou,DC=sogou-inc,DC=com”