Login hangs and stuck "invalid credentials"

By: Jesse W user 08 Jun 2016 at 1:20 p.m. CDT

6 Responses
Jesse W gravatar
Hello, I'm a new adopter looking to roll Gluu out to my company, but my instance has started exhibiting some troubling bugs. Logins (binding against ActiveDirectory) will somewhat randomly hang - sometimes they'll go through, but if there are concurrent attempts, users get stuck with "invalid credentials." This error persists across multiple browsers. Digging into the logs, it looks like the LDAP bind is dropping, and then waiting a fixed period before timing out, blocking other connections along the way. I've included a snippet from **oxauth.log** during a period where I was able to successfully reproduce the issue on my own. Here are a few additional details: - Machine RAM: 6gb (4gb for the main tomcat wrapper) - Two cores - LDAP Max Connections: auth and cache refresh each 1000. I've tried tuning the LDAP caching as noted in the documentation, as well. We were rolling SSO for a couple services in production when this issue struck, so any help is greatly appreciated. Thanks, Jesse
U1404
closed

Answers

By Mohib Zico staff 08 Jun 2016 at 1:56 p.m. CDT

Copy
Mohib Zico gravatar
Jesse, Are you using Load balancer infront of your AD? Do you have multiple AD in the pool?

By Jesse W user 08 Jun 2016 at 2:12 p.m. CDT

Copy
Jesse W gravatar
Hi Mohib, We have 300 users across three locations, with a dedicated Windows Server 2008r2 domain controller in each location. The domain controller being queried shows no signs of stress - no high cpu usage or RAM. We aren't using a load balancer due to the light load on the DC being targeted.

By Mohib Zico staff 08 Jun 2016 at 2:32 p.m. CDT

Copy
Mohib Zico gravatar
Ok. I think you should check the log of AD for any kind of potential reason.

By Jesse W user 08 Jun 2016 at 3:31 p.m. CDT

Copy
Jesse W gravatar
Hmm.. we checked them earlier, when we saw that it was related to the bind, and didn't see anything out of the ordinary. [Here they are, if you'd like to take a look.](https://gist.githubusercontent.com/jaawerth/819cb41774d043e928a7107b12f0e697/raw/b7d858924ba13ecbbf76ab28a3e6eb01aeaef978/adlog.csv) In the meantime, I'm going to see if I can whip up a load test with it pointed to an alternate AD, just to be sure. Thanks!

By Jesse W user 09 Jun 2016 at 7:57 p.m. CDT

Copy
Jesse W gravatar
So, we went ahead and tested it with another AD endpoint (and the original as a failover) - unfortunately, we hit the same issue, with the same behavior coming from the logs It seems to be happening under a fairly light load, as well - just a few people. Any other thoughts? Thanks, Jesse

By Mohib Zico staff 10 Jun 2016 at 12:14 a.m. CDT

Copy
Mohib Zico gravatar
I know there might be one issue in 2.4.2, at least we faced one for one our customer but they were using Load balancer and series of CA-signed certs there in their backend which was creating issues with 'Trust All' level, it's fixed in 2.4.3. You can give a shot with that.

Post an answer