7 Replies Latest reply on Sep 17, 2014 5:47 AM by Thomas Segismont

    Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP

    Maciej Swiderski Master

      Hi,

       

      we have bunch of JBoss AS (EAP 6.2) in the infrastructure where we configured management realm to be based on LDAP authentication. We created dedicated monitoring user in LDAP and configured it in RHQ. All works well but there are lots of complains from LDAP team that our infrastructure is issuing huge amount o login requests on LDAP side - around 14000 per hour. I tried to look for some caching options on AS side but found only for security domains and not security realms. And to my knowledge RHQ uses http management interface and not native, is that correct?

       

      Main question here is - can that be somehow resolved? Applying any cache on AS side or reconfiguring security realm to allow authentication of both LDAP and local users?

       

      All input more than welcome

       

      Thanks

      Maciej

        • 1. Re: Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP
          Thomas Segismont Expert

          Hi Maciej,

           

          By default, RHQ expires stale HTTP management connections after 5 seconds. Did you try to increase the Management Connection Timeout property (Inventory > Connection Settings tab)?

           

          I don't know if EAP can cache LDAP authentication request, but I'm almost sure you can configure multiple sources of authentication for a same realm:

          • RHQ technical user -> in a properties file
          • Real humans accounts -> in LDAP

           

          Regards,

          Thomas

          1 of 1 people found this helpful
          • 2. Re: Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP
            Maciej Swiderski Master

            Thanks Thomas for useful tips. What would be a safe value for Management Connection Timeout? Would like 5 or 10 min be ok? Asking mainly about potential side effects of such change. Would RHQ drop broken connection for example in case application server connection is for has shutdown.

             

            If you have any references for configuring multiple sources of authentication for the same realm I would be more than happy. I was looking for it and looks like it can be configured only one. When trying to change it by adding another <authentication> tag into management realm it app server boot failed with message that only one authentication mechanism can be selected.

             

            Thanks

            Maciej

            • 3. Re: Re: Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP
              Thomas Segismont Expert

              Thanks Thomas for useful tips. What would be a safe value for Management Connection Timeout? Would like 5 or 10 min be ok? Asking mainly about potential side effects of such change. Would RHQ drop broken connection for example in case application server connection is for has shutdown.

               

              You're welcome. It's hard to say what a perfect value is, it all depends on the number and frequency of your measurement schedules, the number of recurring operations you run, ... etc. As always with tuning, try something and measure impact on your LDAP server. You could start with 5 minutes, yes.

               

              If you have any references for configuring multiple sources of authentication for the same realm I would be more than happy. I was looking for it and looks like it can be configured only one. When trying to change it by adding another <authentication> tag into management realm it app server boot failed with message that only one authentication mechanism can be selected.

               

              You can't add multiple authentication nodes, but I think you can add different sources inside a single one. Like:

               

              <security-realm name="ManagementRealm">
                  <authentication>
                      <local default-user="$local" allowed-users="*"/>
                      <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                      <ldap>
                        <!-- LDAP CONFIG HERE -->
                      </ldap>
                  </authentication>
              </security-realm>
              
              
              

               

              See Security Realms - JBoss AS 7.1 - Project Documentation Editor

              • 4. Re: Re: Re: Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP
                Maciej Swiderski Master

                I already tried to add another config into same authentication tab but this results with error on parsing time:

                10:22:27,744 ERROR [org.jboss.as.server] (Controller Boot Thread) JBAS015956: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration
                        at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.server.ServerService.boot(ServerService.java:324) [jboss-as-server-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
                Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[52,21]
                Message: JBAS014789: Unexpected element '{urn:jboss:domain:1.5}ldap' encountered
                        at org.jboss.as.controller.parsing.ParseUtils.unexpectedElement(ParseUtils.java:86) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.domain.management.parsing.ManagementXml.parseAuthentication_1_3(ManagementXml.java:992) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealm_1_3(ManagementXml.java:641) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealms(ManagementXml.java:537) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.domain.management.parsing.ManagementXml.access$000(ManagementXml.java:154) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.domain.management.parsing.ManagementXml$Delegate.parseSecurityRealms(ManagementXml.java:169) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement_1_5(ManagementXml.java:347) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement(ManagementXml.java:282) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:453) [jboss-as-server-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145) [jboss-as-server-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107) [jboss-as-server-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
                        at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final-redhat-2.jar:1.1.0.Final-redhat-2]
                        at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
                        ... 3 more
                
                10:22:27,791 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous
                 messages for details.
                

                so it does not seem to be a valid configuration - unfortunately.

                 

                In meantime I'll play with different values for the timeout and see if that gets improved on LDAP side.

                 

                Cheers

                Maciej

                • 5. Re: Re: Re: Re: Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP
                  Thomas Segismont Expert

                  Can you paste the relevant portion of your config?

                   

                  Here's what's in EAP_HOME/docs/schema/jboss-as-config_1_4.xsd:

                   

                  <xs:complexType name="authenticationType">
                      <xs:annotation>
                          <xs:documentation>
                              Configuration of the server side authentication mechanisms.
                  
                              Optionally one truststore can be defined and one username/password based store can be defined.
                              Authentication will first attempt to use the truststore and if this is not available will fall back
                              to the username/password authentication.
                  
                              If none of these are specified the only available mechanism will be the local mechanism for the
                              Native interface and the HTTP interface will not be accessible.
                          </xs:documentation>
                      </xs:annotation>
                      <xs:sequence>
                          <xs:element name="truststore" type="keyStoreType" minOccurs="0">
                              <xs:annotation>
                                  <xs:documentation>
                                      Configuration of a keystore to use to create a trust manager to verify clients.
                                  </xs:documentation>
                              </xs:annotation>
                          </xs:element>
                          <xs:element name="local" type="localType" minOccurs="0">
                              <xs:annotation>
                                  <xs:documentation>
                                      Configuration to enable the local authentication mechanism, if this element
                                      is ommitted then local authentication will be disabled.
                                  </xs:documentation>
                              </xs:annotation>
                          </xs:element>
                          <xs:choice minOccurs="0">
                              <xs:element name="jaas" type="jaasAuthenticationType" minOccurs="0" />
                              <xs:element name="ldap" type="ldapAuthenticationType" minOccurs="0" />
                              <xs:element name="properties" type="propertiesAuthenticationType" minOccurs="0" />
                              <xs:element name="users" type="usersAuthenticationType" minOccurs="0" />
                              <xs:element name="plug-in" type="plug-inAuthType" minOccurs="0" />
                          </xs:choice>
                      </xs:sequence>
                  </xs:complexType>
                  
                  
                  

                   

                  As I understand it, it's valid to add an ldapAuthenticationType after a propertiesAuthenticationType.

                  • 6. Re: Re: Re: Re: Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP
                    Maciej Swiderski Master

                    Thomas,

                     

                    isn't the xdd:choice means that only one if its elements can be present at the same time?

                     

                    When it comes to the security realm configuration, I copied what you have provided before an just added ldap config.

                     

                    Cheers

                    Maciej

                    • 7. Re: Re: Re: Re: Too many login requests triggered by RHQ when JBoss AS management realm is configured with LDAP
                      Thomas Segismont Expert

                      isn't the xdd:choice means that only one if its elements can be present at the same time?

                       

                      Oh right. Apologies. So you have no choice, only one source at a time. I stand corrected.