Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10116

Search timeout for LDAP filter condition should be in seconds

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 13.5.0
    • Fix Version/s: None
    • Component/s: policy
    • Labels:
    • Rank:
      1|hzsl53:

      Description

      In OpenAM 13.5.0, the search connection timeout period for LDAP filter condition is in milliseconds but it's help text says "In seconds". This can cause a connection error if using LDAP filter condition by default settings.

      Steps to reproduce:
      1. Setup OpenAM 13.5.0 and Web agent 4.0.0 to protect an application.
      2. Create a policy including an LDAP filter condition.
      3. Access to the application as demo user.
      -> The following error is recorded in debug/Entitlement:

      Entitlement:11/28/2016 12:44:10:476 AM JST: Thread[http-bio-28080-exec-7,5,main]: TransactionId[67dd3cca-fe73-43f0-bef3-fac6e2d31ee7-1058]
      ERROR: OpenSSOPrivilege.evaluate
      com.sun.identity.entitlement.EntitlementException: Condition evaluation fails.
              at org.forgerock.openam.entitlement.conditions.environment.LDAPFilterCondition.evaluate(LDAPFilterCondition.java:94)
              at org.forgerock.openam.entitlement.CachingEntitlementCondition.evaluate(CachingEntitlementCondition.java:119)
              at com.sun.identity.entitlement.Privilege.doesConditionMatch(Privilege.java:695)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.internalEvaluate(OpenSSOPrivilege.java:150)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.access$000(OpenSSOPrivilege.java:63)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:105)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege$1.run(OpenSSOPrivilege.java:99)
              at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:81)
              at com.sun.identity.entitlement.opensso.OpenSSOPrivilege.evaluate(OpenSSOPrivilege.java:98)
              at com.sun.identity.entitlement.PrivilegeEvaluator$PrivilegeTask.run(PrivilegeEvaluator.java:423)
              at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:337)
              at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:250)
              at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:219)
              at com.sun.identity.policy.PolicyEvaluator.getResourceResults(PolicyEvaluator.java:1367)
              at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:443)
              at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:246)
              at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:200)
              at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:137)
              at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:202)
              at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:140)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
              at com.googlecode.psiprobe.Tomcat70AgentValve.invoke(Tomcat70AgentValve.java:44)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
              at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
              at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
              at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      Caused by: com.sun.identity.policy.PolicyException: Connect Error: The connection attempt to server /172.105.126.222:50389 has failed because the connection timeout period of 5 ms was exceeded: The connection attempt to server /172.105.126.222:50389 has failed because the connection timeout period of 5 ms was exceeded
              at com.sun.identity.policy.plugins.LDAPFilterCondition.searchFilterSatisfied(LDAPFilterCondition.java:457)
              at com.sun.identity.policy.plugins.LDAPFilterCondition.isMember(LDAPFilterCondition.java:376)
              at com.sun.identity.policy.plugins.LDAPFilterCondition.getConditionDecision(LDAPFilterCondition.java:267)
              at org.forgerock.openam.entitlement.conditions.environment.LDAPFilterCondition.evaluate(LDAPFilterCondition.java:91)
              ... 51 more
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kohei kohei
                Reporter:
                kohei kohei
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: