0 Replies Latest reply on Jan 26, 2010 8:37 AM by David Partain

    Aborted LDAP authentication queries

    David Partain Newbie

      Hi all,


      My apologies if this is answered somewhere that I simply having found.  Believe me, I've tried :-)


      I run an application (CollabNet's TeamForge) that uses jboss as its heart and soul.  It's currently running 3.2.6 (I believe).  This is working well, but with one major issue that I just can't track down.


      When users log in, they are authenticated using our central LDAP-based server (actually Active Directory).  The configuration I use is (in my login-config.xml):


      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient" >
         <module-option name="java.naming.security.protocol">ssl</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
         <module-option name="principalDNPrefix">uid=</module-option>
         <module-option name="principalDNSuffix">(deleted)</module-option>
         <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
         <module-option name="java.naming.provider.url">ldap://our.active.directory:636/</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>


      The issue is that we're getting very very many aborted connection.  In my logs, it simply says:


      2010-Jan-26 13:48:58 TRACE [LdapLoginModule] abort


      and on the Active Directory side, they're seeing something like:


      DISCONNECT - INFO  - conn=4976802 reason="other" msg="Exception caught while polling client connection

      LDAPS.our.ip.add.ress.37531 -- java.io.IOException: Received CLOSED during initial handshaking"


      If there were only a few, I wouldn't believe that there was something generic wrong, but in this case, there are sometimes over a million or two in a 24-hour period.  Note that users are also successfully authenticating, so it doesn't always fail.


      I'm wondering if it might be because the LDAP client (jboss) is trying to speak SSLv2 and the other rejects that?  Has anyone seen anything like this?


      Any ideas would be very much appreciated.