From 1ad8b3c05987a15309014c8d4b56a0b5af5b759d Mon Sep 17 00:00:00 2001 From: Justin Bertram Date: Wed, 8 Jan 2020 10:45:18 -0600 Subject: [PATCH] ARTEMIS-2590 support com.sun.jndi.ldap.read.timeout in LDAPLoginModule --- .../core/security/jaas/LDAPLoginModule.java | 7 +++- docs/user-manual/en/security.md | 33 ++++++++++++++++--- 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java index ed9b8bad76..ce7f125861 100644 --- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java +++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java @@ -89,6 +89,7 @@ public class LDAPLoginModule implements LoginModule { private static final String PASSWORD_CODEC = "passwordCodec"; private static final String CONNECTION_POOL = "connectionPool"; private static final String CONNECTION_TIMEOUT = "connectionTimeout"; + private static final String READ_TIMEOUT = "readTimeout"; protected DirContext context; @@ -135,7 +136,8 @@ public class LDAPLoginModule implements LoginModule { new LDAPLoginProperty(REFERRAL, (String) options.get(REFERRAL)), new LDAPLoginProperty(IGNORE_PARTIAL_RESULT_EXCEPTION, (String) options.get(IGNORE_PARTIAL_RESULT_EXCEPTION)), new LDAPLoginProperty(CONNECTION_POOL, (String) options.get(CONNECTION_POOL)), - new LDAPLoginProperty(CONNECTION_TIMEOUT, (String) options.get(CONNECTION_TIMEOUT))}; + new LDAPLoginProperty(CONNECTION_TIMEOUT, (String) options.get(CONNECTION_TIMEOUT)), + new LDAPLoginProperty(READ_TIMEOUT, (String) options.get(READ_TIMEOUT))}; if (isLoginPropertySet(AUTHENTICATE_USER)) { authenticateUser = Boolean.valueOf(getLDAPPropertyValue(AUTHENTICATE_USER)); @@ -640,6 +642,9 @@ public class LDAPLoginModule implements LoginModule { if (isLoginPropertySet(CONNECTION_TIMEOUT)) { env.put("com.sun.jndi.ldap.connect.timeout", getLDAPPropertyValue(CONNECTION_TIMEOUT)); } + if (isLoginPropertySet(READ_TIMEOUT)) { + env.put("com.sun.jndi.ldap.read.timeout", getLDAPPropertyValue(READ_TIMEOUT)); + } // handle LDAP referrals // valid values are "throw", "ignore" and "follow" diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md index 61d395d8a5..98eb1243e1 100644 --- a/docs/user-manual/en/security.md +++ b/docs/user-manual/en/security.md @@ -608,12 +608,37 @@ system. It is implemented by for the connection to the directory server. This option must be set explicitly to an empty string, because it has no default value. -- `connectionPool`. boolean, enable the ldap connection pool property - 'com.sun.jndi.ldap.connect.pool'. Note that the pool is [configured at the jvm level with system properties](https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html). +- `connectionPool` - boolean, enable the LDAP connection pool property + 'com.sun.jndi.ldap.connect.pool'. Note that the pool is + [configured at the jvm level with system properties](https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html). +- `connectionTimeout` - specifies the string representation of an integer + representing the connection timeout in milliseconds. If the LDAP provider + cannot establish a connection within that period, it aborts the connection + attempt. The integer should be greater than zero. An integer less than or + equal to zero means to use the network protocol's (i.e., TCP's) timeout + value. -- `connectionTimeout`. String milliseconds, that can time limit a ldap connection - attempt. The default is infinite. + If `connectionTimeout` is not specified, the default is to wait for the + connection to be established or until the underlying network times out. + + When connection pooling has been requested for a connection, this property + also determines the maximum wait time for a connection when all connections + in the pool are in use and the maximum pool size has been reached. If the + value of this property is less than or equal to zero under such + circumstances, the provider will wait indefinitely for a connection to + become available; otherwise, the provider will abort the wait when the + maximum wait time has been exceeded. See `connectionPool` for more details. + +- `readTimeout` - specifies the string representation of an integer representing + the read timeout in milliseconds for LDAP operations. If the LDAP provider + cannot get a LDAP response within that period, it aborts the read attempt. + The integer should be greater than zero. An integer less than or equal to + zero means no read timeout is specified which is equivalent to waiting for + the response infinitely until it is received. + + If `readTimeout` is not specified, the default is to wait for the response + until it is received. - `userBase` - selects a particular subtree of the DIT to search for user entries. The subtree is specified by a DN, which specifes the base node of