Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-15724

LDAP sync removes users from JCR if communication with LDAP server breaks during sync process

    XMLWordPrintable

Details

    • Flagged
    • Orion
    • Orion.Cycle8.Sprint
    • Medium
    • Medium (3-5)

    Description

      The customer is synchronizing users with LDAP every 6 hours. During this scheduled sync users are added to the JCR and mapped to their JCR-internal user group. Users no longer available in the LDAP are removed from the JCR as well. As far as the customer mentioned this is standard behaviour of the LDAP connector.

      The customer currently observed that all users of a specific security provider are being wiped from the JCR if the communication with the LDAP server breaks during the sync process. This broke the SSO for all affected users (about 4.500!).
      The code seems to assume that no users have been retrieved and thus deletes all users from the JCR that belong to this security provider.
      They think that this is not the way the error handling should work in this case. After a communication failure, no actions should be performed on the presumably incomplete result set - especially no deletions of users not being members of the incomplete result set.

      05.12.2023 06:30:00 [Hippo JCR Quartz Job Scheduler_Worker-1] ERROR [org.hippoecm.repository.security.ldap.LdapUserManager.updateUsers():271] Error while trying fetching users for provider ldap-agency:

      Unsynchronized users may be removed.

      javax.naming.CommunicationException: ldap-p:636

      at com.sun.jndi.ldap.Connection.<init>(Connection.java:252) ~[?:?]

      at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:?]

      at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:71) ~[?:?]

      at com.sun.jndi.ldap.pool.Connections.createConnection(Connections.java:185) ~[?:?]

      at com.sun.jndi.ldap.pool.Pool.getOrCreatePooledConnection(Pool.java:195) ~[?:?]

      at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:148) ~[?:?]

      at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:340) ~[?:?]

      at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1608) ~[?:?]

      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2847) ~[?:?]

      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) ~[?:?]

      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:262) ~[?:?]

      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226) ~[?:?]

      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:280) ~[?:?]

      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:185) ~[?:?]

      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:115) ~[?:?]

      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730) ~[?:?]

      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) ~[?:?]

      at javax.naming.InitialContext.init(InitialContext.java:236) ~[?:?]

      at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[?:?]

      at org.hippoecm.repository.security.ldap.LdapContextFactory.getLdapContext(LdapContextFactory.java:271) ~[hippo-addon-ldap-15.2.2.jar:15.2.2]

      at org.hippoecm.repository.security.ldap.LdapContextFactory.getSystemLdapContext(LdapContextFactory.java:225) ~[hippo-addon-ldap-15.2.2.jar:15.2.2]

      at org.hippoecm.repository.security.ldap.LdapUserManager.updateUsers(LdapUserManager.java:259) [hippo-addon-ldap-15.2.2.jar:15.2.2]

      at org.hippoecm.repository.security.ldap.LdapSecurityProvider$SyncJob.execute(LdapSecurityProvider.java:317) [hippo-addon-ldap-15.2.2.jar:15.2.2]

      at org.hippoecm.repository.quartz.RepositoryJobJob.execute(RepositoryJobJob.java:50) [hippo-repository-engine-15.2.2.jar:15.2.2]

      at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]

      at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]

      Caused by: java.net.SocketException: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt (Write failed)

      at java.net.SocketOutputStream.socketWrite0(Native Method) ~[?:?]

      at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) ~[?:?]

      at java.net.SocketOutputStream.write(SocketOutputStream.java:150) ~[?:?]

      at sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:271) ~[?:?]

      at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89) ~[?:?]

      at sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:647) ~[?:?]

      at sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:525) ~[?:?]

      at sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:112) ~[?:?]

      at sun.security.ssl.TransportContext.kickstart(TransportContext.java:233) ~[?:?]

      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:449) ~[?:?]

      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427) ~[?:?]

      at com.sun.jndi.ldap.Connection.createSocket(Connection.java:364) ~[?:?]

      at com.sun.jndi.ldap.Connection.<init>(Connection.java:231) ~[?:?]

      ... 25 more

      Attachments

        Activity

          People

            ekarakus Erdem Karakus
            rsailada Rajesh Sailada
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: