This issue has been created
 
 
LDAP / cid:jira-generated-image-avatar-faed99eb-835d-4d79-bbf7-f78255e91599 LDAP-149 Open

Members as "contact" object - BLOCKED thread

 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-eeca9115-cdb7-43c9-a26e-988d348fdcc7 Mario created this issue on 18/Oct/24 10:17
 
Summary: Members as "contact" object - BLOCKED thread
Issue Type: cid:jira-generated-image-avatar-faed99eb-835d-4d79-bbf7-f78255e91599 Bug
Affects Versions: 9.15.3, 9.15.5
Assignee: Unassigned
Attachments: jstack_tomcat_20241016_1033.txt
Created: 18/Oct/24 10:17
Priority: cid:jira-generated-image-static-major-e1842a08-6bbf-4fea-9f5a-c63512b7b99c Major
Reporter: Mario
Description:

We have configured user authentication an group mapping unsing LDAP.
The LDAP is configured against a Windows Active Directory.

After adding a new LDAP group in xwiki.authentication.ldap.group_mapping we have a strange behavior of our installation.
After a while, a user login in XWiki is no longer possible.

We have a special case with that group:

In Windows Active Directory, one of the group members is not a regular "user" object, but a "contact" object.
Differences between user and concact object are explained for example an this site: https://techdirectarchive.com/2020/04/09/difference-between-a-contact-and-a-user-object/
We need that contact entry for other purpose besides XWiki, it should be ignored on XWiki side.

This problem occurs after restarting Tomcat after a while.

We found a log message on our reverse proxy (Apache httpd) ahead of XWiki:

[mpm_winnt:error] [pid 7576:tid 2836] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting

We tried to investigate the problem with a Java stack trace and found a BLOCKED thread, that holds a lock.
It seems this lock blocks all other threads regarding LDAP authentication, leading to exhaustion of available threads to serve requests on the reverse proxy.

As soon as we remove the contact from the group and restart XWiki, the problem is gone.

The complete LDAP config and the jstack evaluation are attached.

Extract from:
LDAP mapping:

[...]
XWiki.testGroup=CN=testGroup,OU=_Security,OU=_Groups,DC=xx-xxxx,DC=com|
[...]

jstack evaluation:

[...]
"http-nio-8080-exec-2 - http://wiki.xx-xxxx.com/xwiki/bin/view/Dashboard/" #54 daemon prio=5 os_prio=0 cpu=203.13ms elapsed=1996.40s tid=0x0000023f7e98d000 nid=0x1fe4 waiting for monitor entry  [0x0000007b01dbc000]
   java.lang.Thread.State: BLOCKED (on object monitor)
	at org.xwiki.contrib.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:828)
	- waiting to lock <0x00000000929505d8> (a org.xwiki.cache.infinispan.internal.InfinispanCache)
	at org.xwiki.contrib.ldap.XWikiLDAPUtils.isInGroup(XWikiLDAPUtils.java:994)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:600)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:307)
	at com.xpn.xwiki.user.impl.xwiki.MyBasicAuthenticator.authenticate(MyBasicAuthenticator.java:209)
	at com.xpn.xwiki.user.impl.xwiki.MyBasicAuthenticator.checkLogin(MyBasicAuthenticator.java:118)
	at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:132)
	at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:201)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:167)
	at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4366)
	at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:238)
	at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:268)
	at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4389)
	at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5775)
	at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:548)
	at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
	at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:388)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
	at java.lang.Thread.run(java.base@11.0.15/Thread.java:829)

   Locked ownable synchronizers:
	- <0x0000000087480c38> (a org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker)
	- <0x000000009ad0a8d8> (a java.util.concurrent.locks.ReentrantLock$NonfairSync)
[...]