Skip to main content

Problem with performance of LDAP Security Realm in Glassfish V2

6 replies [Last post]
mwengren
Offline
Joined: 2006-08-22

I am working on an application that is deployed to Glassfish V2, JDK 6, that provides authentication via the out of the box com.sun.enterprise.security.auth.realm.ldap.ldapRealm module. It authenticates against an LDAP server over SSL (ldaps). I have configured all the Glassfish authentication realm settings correctly so the authentication is successful (ie Directory, BaseDN, JAASContext), SSL certs have been setup properly also. I also configured the 'search-filter' and 'group-search-filter' realm properties according the the LDAP server settings.

The issue that I am having with the application is that a successful authentication results in a delay of typically about 30 seconds before the initial authentication-restricted page is returned to the browser. If I switch the application to use a fileRealm instead, it is only 1-2 seconds. Also, if an incorrect login is submitted to the LDAP realm, the failed authentication message is returned much more quickly (about a second), and the app displays the login failure screen immediately. I am confused as to why there is such a long delay occurring when it appears that the LDAP authentication is not to blame for the slowness (at least a failure is returned quickly). Has anyone experienced a similar problems or have any suggestions to how I can troubleshoot what is going on?

I don't really know where to look beyond changing extra property settings (ie. 'search-filter' etc) that I found in a blog post to try to tune my settings. Is there additional documentation beyond the Administrator Guide for how to configure the ldapRealm? It does not really mention the optional property settings that I found online, that I have been able to find anyway. Is there something else that could be wrong in my configuration that would cause a delay? As I mentioned, there is no delay when a fileRealm is used instead.

Looking at the highest-level security module logs shows that Glassfish appears to reach the point where it locates the user DN, then pauses before returning successful login.

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [] into realm: using JAAS module: ldapRealm
Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule
search: baseDN: filter: uid=
Found user DN:

------ pause ------

LDAP: Group memberships found:
LDAP: login succeeded for:
JAAS login complete.
JAAS authentication committed.

Thanks for any advice!

Micah

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
kumarjayanti
Offline
Joined: 2003-12-10

Hi,

I just tried a sample which used LDAPRealm and did not notice any such delays. Specifically i tried this : https://www.opends.org/wiki/page/GlassfishApplicationServer

However the one difference is that you are using SSL (ldaps), my sample does not.

Can you check and confirm if the issue is happening when you do not use SSL.

Thanks.

mwengren
Offline
Joined: 2006-08-22

Hi kumarjayanti,

Thanks for the link. Unfortunately the LDAP server I'm connecting to does not support non-SSL authentication, so I can't test without it. I will follow those steps to set up a non-SSL version for testing on my local machine, and post the results as soon as I've tested it out.

Anyone else had issues with the ldapRealm with SSL?

Thank you.

mwengren
Offline
Joined: 2006-08-22

Hi -

I tested my app against a local install of OpenDS following those steps and also this blog post (to set up an OpenDS with SSL using Glassfish keystore file) http://javaevangelist.blogspot.com/2008/09/opends-ldap-and-glassfish-con... - thanks for the post, John. It works just fine with an SSL-based OpenDS LDAP realm and with non-SSL OpenDS realm. I do not get the same delay that I had with our enterprise LDAP server.

Since I'm sure that it's not a problem with the enterprise LDAP system and other applications that authenticate against it do not seem to have the same slowness issue, I wonder if there are some other parameters that I can tune in Glassfish that might help. Unfortunately I need to use the enterprise LDAP in favor of a local OpenDS LDAP deployment for this application. Could it have to do with my SSL certificate configuration? I have the LDAP server public certificate configured in cacerts.jks, but with default parameters. Any suggestions on where I need to be looking to fix this are greatly appreciated.

Thank you!

kumarjayanti
Offline
Joined: 2003-12-10

Which version of glassfish are you using ?.

Just a guess, but you may want to experiment with the pool properties :

com.sun.jndi.ldap.connect.pool : the default value for this is "true" in LDAPRealm, which means pooling is enabled by default.
com.sun.jndi.ldap.connect.pool.protocol : the default value for this is "plain ssl"
com.sun.jndi.ldap.connect.pool.maxsize : the default value for this is "5"

So you may want to see if setting the following property under your ldap realm will help

Also can you try GlassFish from the following link and tell us if there is any improvement.

Because there was a custom socket factory added for ldaps connections.

https://sailfin.dev.java.net/downloads/v1-b60b.html

mwengren
Offline
Joined: 2006-08-22

Hi -

Thanks for the suggestions. The Glassfish version used is V2ur2 (build b04-fcs) with JDK6.

I tried setting the pool-size property, but did not seem to have an effect. I tried also changing the com.sun.jdni.ldap.connect.pool.protocol , maxsize, prefsize, and initsize, JVM options as mentioned but it did not seem to have any effect on the duration of my LDAP authentications.

I haven't yet tried the Glassfish at that link, but I will give that a shot today if I can get to it.

Is there good documentation available for this anywhere? It would be nice to have something to refer to.....

Thanks for your help,
Micah

mwengren
Offline
Joined: 2006-08-22

Hi -

Running my app on the Sailfin Glassfish version did not seem to help either. I used the following JVM options in the server configuration for both my original Glassfish server that the app was deployed on and the Sailfin deployment:

-Dcom.sun.jndi.ldap.connect.pool.initsize=5
-Dcom.sun.jndi.ldap.connect.pool.prefsize=5
-Dcom.sun.jndi.ldap.connect.pool.maxsize=10
-Dcom.sun.jndi.ldap.connect.pool.protocol="ssl"

Unfortunately, there seems to be no change in the slowness that I'm seeing, and since testing with a local installation of OpenDS using SSL did not have any similar issues, I'm going to assume that it must be related to our enterprise LDAP server. I seem to be out of options for tuning/debugging in Glassfish, so I guess I'll live with the performance issues unless I find anything else related to the enterprise LDAP that might help.

Thanks.

Micah