We have configured user authentication an group mapping unsing LDAP. The LDAP is configured against a Windows Active Directory. After adding a new LDAP group in xwiki.authentication.ldap.group_mapping we have a strange behavior of our installation. After a while, a user login in XWiki is no longer possible. We have a special case with that group: In Windows Active Directory, one of the group members is not a regular "user" object, but a "contact" object. Differences between user and concact object are explained for example an this site: https://techdirectarchive.com/2020/04/09/difference-between-a-contact-and-a-user-object/ We need that contact entry for other purpose besides XWiki, it should be ignored on XWiki side. This problem occurs after restarting Tomcat after a while. We found a log message on our reverse proxy (Apache httpd) ahead of XWiki: [mpm_winnt:error] [pid 7576:tid 2836] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting We tried to investigate the problem with a Java stack trace and found a BLOCKED thread, that holds a lock. It seems this lock blocks all other threads regarding LDAP authentication, leading to exhaustion of available threads to serve requests on the reverse proxy. As soon as we remove the contact from the group and restart XWiki, the problem is gone. The complete LDAP config and the jstack evaluation are attached. Extract from: LDAP mapping:
[...]
XWiki.testGroup=CN=testGroup,OU=_Security,OU=_Groups,DC=xx-xxxx,DC=com|
[...]
jstack evaluation:
[...]
"http-nio-8080-exec-2 - http: #54 daemon prio=5 os_prio=0 cpu=203.13ms elapsed=1996.40s tid=0x0000023f7e98d000 nid=0x1fe4 waiting for monitor entry [0x0000007b01dbc000]
java.lang.Thread.State: BLOCKED (on object monitor)
at org.xwiki.contrib.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:828)
- waiting to lock <0x00000000929505d8> (a org.xwiki.cache.infinispan.internal.InfinispanCache)
at org.xwiki.contrib.ldap.XWikiLDAPUtils.isInGroup(XWikiLDAPUtils.java:994)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:600)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:307)
at com.xpn.xwiki.user.impl.xwiki.MyBasicAuthenticator.authenticate(MyBasicAuthenticator.java:209)
at com.xpn.xwiki.user.impl.xwiki.MyBasicAuthenticator.checkLogin(MyBasicAuthenticator.java:118)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:132)
at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:201)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:167)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4366)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:238)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:268)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4389)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5775)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:548)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:388)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.lang.Thread.run(java.base@11.0.15/Thread.java:829)
Locked ownable synchronizers:
- <0x0000000087480c38> (a org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker)
- <0x000000009ad0a8d8> (a java.util.concurrent.locks.ReentrantLock$NonfairSync)
[...]
|