Hi everyone, just in case the "final" solution is of interest: the problem was as usual in the configuration. We did not set the following directive for the LDAP connection pool:
LDAPConnectionPoolTTL #seconds If the directive is missing, a value of "-1" is implied, meaning "keep connections open for ever". The LDAP server on the other side sets an "idle connection timeout" of 600 seconds. As a result a lookup would fail if it happened 600+ seconds after the first usage of the connection. 600 seconds is exactly the lifetime of the LDAP cache. Given the time of the year, usage of the test/integ/devel environment is minimal and there were no "new" lookups during the cache lifetime, leading to the repeated failures... Setting LDAPConnectionPoolTTL 60 solved the problem for good. Happy New Year !!! Martin On Fri, Dec 30, 2016 at 12:33 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Martin, > > On 12/29/16 3:47 AM, Martin Knoblauch wrote: > > that is an interesting pointer. We are of course securing the > > "jkmanager" app. And guess what we are using: LDAP. The funky thing > > is that it is working most of the time. It fails just after some > > time. Refreshing the URL cures it again - for some time. What did > > you do to fix your problem? > > I'm glad to see you are on your way to solving your problem. > > In my case, it was an expired TLS certificate being used for the > OpenLDAP process or something similar, so it wasn't anything to do > with httpd itself. I've also been experimenting with a fall-back for > LDAP that maybe wouldn't be 100% up-to-date with the LDAP database, > but at least it wouldn't cause 500 errors. > > Good luck, > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYZZ1PAAoJEBzwKT+lPKRYThcP/RT/zeHoLhgsUvjhteXT2crZ > mqSnIzvDKTfTuktDROxZhL+BnSo4dirt0HcHz8yQ6c+hAlS6d2JtGGtpPiNPeigX > 4+0H9H6Nq9pCwK586wPqUusPs4bh1cbXBquAsdv3mG1w/cge+mgnYI6h7DSVBOgD > ir84T+7dnEZ25ygiN1e8Hp7DLyxWD/oRd594LIcTRtGisD0hRGGOc5xujmHxdhtQ > 0X8lQIlViL67Mo13hrFJQh7DO461MYxXElP+Ui39bq/i2rxSxrU4Xz/PjYb8LUhK > rRxNR7E8b59u+HxtiGMzM6wuRHBPsw4i575DGnSbTWPEjzER5ekLnV2FGdJA7rm5 > u1qENAbq9YuJ5I7NPFxSIC4iVtAI8vYEs86vG/JOtyGwMpy3L1uTpX0oYpEB+6nh > vUvl3l9S6aBqrYpHI/fG/SH3Y9jZ746d6GjyeLnEGIdjVFTxjbtFFlZH+EiQLMPx > IIr7zloPAQ+pNl5LjHoBsTjoTHtx6vnIYYFMfsl+vLAuFfHqJPqNh0qUuHoj4Esm > Rnl5cywGGqLSWiTCSwCdAtt2U8CyA4g6L9slYGp2USkAzBFEI1OFSDuy5A+fol+y > owkMlAkoMFxg8IM0c0VJofzUz/5IYiVLLRyth5ZfoxH3YK0WKZ8wQ5489bMQbQrt > QcVRNw4hG9IEkOaWrRhB > =W4NN > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- ------------------------------------------------------ Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
