Vde LDAP proxy

Similar Messages

• LDAP Proxy fails to assign custom connection handler

  Hi,
  I've setup some custom connection handlers, and my proxy server is behaving randomly.
  I mean that sometimes it assigns the new handler sometimes not. This randomness occurs
  if I delete the handler and create it again with the same configuration options.
  I tried restarting the server as well as upgrading to 6.3.1 (Linux/Centos) without any luck.
  Now the server does not assign the high priority custom handler when I connect on the SSL port (1636)
  but it does assign it if i connect on the NON-SSL port (1389)
  This is is my configuration:
  dpconf list-connection-handlers -v -p 1636
  anonymous true 5
  domain2.example.com true 3
  default connection handler true 100
  directory services administrators true 1
  domain1.example.com true 1
  schema false 6
  dpconf get-connection-handler-prop domain1.example.com
  aci-source : none
  allowed-auth-methods : simple
  allowed-ldap-ports : ldap
  allowed-ldap-ports : ldaps
  bind-dn-filters : uid=(.*),cn=(.*),ou=People,dc=domain1,dc=example,dc=com
  bind-dn-filters : uid=(.*),ou=(.*),ou=People,dc=subdomain,dc=domain1,dc=example,dc=com
  data-view-routing-custom-list : DOMAIN1
  data-view-routing-policy : custom
  description :
  domain-name-filters : any
  enable-data-view-affinity : false
  ip-address-filters : any
  is-enabled : true
  is-ssl-mandatory : false
  priority : 1
  request-filtering-policy : Read and Modify
  resource-limits-policy : no-limits
  schema-check-enabled : false
  user-filter : any
  ldapsearch -x -b dc=example,dc=com -H ldaps://proxy.example.com:1636 -W -D "uid=user,cn=admin,ou=People,dc=domain1,dc=example,dc=com" '(uid=user)' dn
  [07/Apr/2009:19:44:10 +0300] - CONNECT - INFO - conn=33 client=10.0.0.1:40795 server=proxy.example.com:1636 proto
  col=LDAPS
  [07/Apr/2009:19:44:10 +0300] - PROFILE - INFO - conn=33 assigned to connection handler cn=default connection handler,
  cn=connection handlers, cn=config
  [07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=0 BIND dn="uid=user,cn=admin,ou=People,dc=domain1,dc=example,dc=com" method="SIMPLE" version=3
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=0 BIND dn="uid=user,cn=admin,ou=People,dc=domain1,dc=example,dc=com" method="SIMPLE"" version=3 s_msgid=18 s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=0 BIND RESPONSE err=0 msg="" s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=0 BIND RESPONSE err=0 msg="" etime=0
  [07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=1 msgid=2 SEARCH base="dc=example,dc=com" scope=2 filter="(uid=user)" attrs="dn "
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH base="dc=domain1,dc=example,dc=com" scope=2 filter="(uid=user)" attrs="dn " s_msgid=19 s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH RESPONSE err=0 msg="" nentries=2 s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH base="dc=example,dc=com" scope=2 filter="(uid=user)"
  attrs="dn " s_msgid=20 s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH RESPONSE err=32 msg="" nentries=0 s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH base="dc=domain2,dc=example,dc=com" scope=2 filter="(ui
  d=user)" attrs="dn " s_msgid=21 s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - SERVER_OP - INFO - conn=33 op=1 SEARCH RESPONSE err=0 msg="" nentries=2 s_conn=dna:1
  [07/Apr/2009:19:44:10 +0300] - OPERATION - INFO - conn=33 op=1 SEARCH RESPONSE err=0 msg="" nentries=4 etime=0
  As you see the connection is routed through default connection handler.
  This happens sometimes even If I put the client IP in the criteria, without the bind criteria.
  I'm a bit comfused. I've also tried to change the priorities but no luck again.
  The funny thing is that If I connect through the NON-SSL port on the proxy the connection
  is routed through the domain1.example.com connection handler...
  [07/Apr/2009:19:51:32 +0300] - PROFILE - INFO - conn=37 assigned to connection handler cn=domain1.example.com,cn=connection handlers,cn=config
  any comment on this would be appreciated
  regards,
  Giannis

  Talking about randomness, I've deleted the connection handlers,
  deleted the default data views, deleted the default data pool, enabled manual routing.
  recreated the connection handlers and now it works.
  The handlers are the same as before. Same criteria...
  Don't get it but there must be something fishy going on there...
  any way, what I'm trying to do is a setup like
  "Data Views That Route Requests When a List of Subtrees Is Stored on Multiple, Data-Equivalent Data Sources"
  http://docs.sun.com/app/docs/doc/820-2763/gbwva?a=view
  where requests with the parent domain as base would work as well.
  domain1.example.com
  domain2.example.com
  example.com (includes both)
  if I have something new I will post
  Giannis

• How to configure ldap.ora with multiple ldap contexts

  Hello.
  My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
  Some basic info: LDAP is Oracle OID version 10gR2
  Please let me know if you have any useful ideas...

  Hi,
  Here is the of OVD benefits :
  1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
  5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
  Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
  I hope this helps.
  Thiago L Guimaraes

• LDAP(iPlanet & OID) Net Service

  Hi There,
  Is it possible to use iPlanet's LDAP for net service names lookup instaed of Oracle Names? Is there a way to extract the schema in OID and import into iPlanet ldap. If this could be done then NET8 should be able to connect to the directory server. Why I say this is: according to Oracle documentation, Net8 supports directory naming: "Service addresses and net service names can be stored in a Lightweight Directory Access Protocol -compliant directory server."
  Has anyone done this?.
  With the release of Orcale 9i Oracle is due to ship a product called Oracle Names LDAP
  Proxy. Is there any information on this product.
  All comments and suggestions are very welcome and appreciated
  IP: Logged
  John Tomlinson
  ([email protected])
  unregistered
  posted February 25, 2001 03:06 PM
  Hello Pat:
  As of release 8.1.7 you can use iPlanet as your name server. In the Net8 Admin guide
  for 8.1.7, specifically chapter 6, there are detailed steps on how to accomplish this.
  By the way, customers seaking to use OID as a replacement to their Oracle Names
  server may do so for free. There is no extra lisencing required to use OID as your Oracle
  Names replacement. You can find a copy of the Net8 Admin guide for 8.1.7 on the "Online Generic Documentation" CD for 8.1.7
  Thanks,
  Jay
  IP: Logged
  Pat Lehane
  ([email protected])
  unregistered
  posted March 06, 2001 08:54 AM
  Hi Jay,
  Thanks for the reply.
  I installed NET 8.1.7 and am trying to connect to iPlanet LDAP through NET8
  Configuration Assitant to create an Oracle schema in the in the iPlanet Directory Server
  but I get an error as follows: configexception: Could not create Oracle schema:oracle.net.config.ConfigException
  You must update the schema from a computer which directly supports your type of
  directory There are still only three options in the directory server type in NET8 config assitant. Is there another way of creating the schema in iPlanet or is there some steps to be done in iPlanet first.
  Regards
  Pat

  While any v3 LDAP server should work, and while some 816 users got Oracle and iPlanet to talk, there are compatability bugs between Oracle 817 and iPlanet. According to Oracle on 02/21/01 "Per bug 1377659 It's been decided that we will only certify against OID. iPlanet is no longer a tested configuration."
  If they aren't testing it they probably aren't doing much else on it either.

• DSML on DSEE Proxy 6.3.1

  Does anyone know how to enable DSML communications to the Proxy server? I see how to enable it to the LDAP server, but could not find any documentation or server setting to enable it on the Proxy server.

  Actually you can't - DPS is a pure LDAP proxy.

• OES 2 SP3+Samba+LDAP users

  Hello everyone,
  Wondering if someone might be able to help with a Samba issue that I don't know how to fix. I've researched it quite a bit online but can't seem to find a solution. I did have a couple certs that needed renewed but even after the cert replacement that didn't seem to fix the overall issue. Also made sure the LDAP users are listed in the Samba User list in iManager. Even tried removing a user and and adding them back in the group. Any help would be appreciated, thanks.
  Goal
  LDAP user trying to connect to a samba share on the OES file server from a Mac.
  Enviornment
  Server
  OES SP3
  samba-3.0.36-0.13.28.1
  Client
  Mac OS X 10.9.5
  /var/log/messages
  pdb_get_group_sid: Failed to find Unix account for user1
  Oct 15 14:46:24 server1 smbd[20328]: [2014/10/15 14:46:24, 0] auth/auth_sam.c:check_sam_security(353)
  Oct 15 14:46:24 server1 smbd[20328]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
  Oct 15 14:46:24 server1 smbd[20328]: [2014/10/15 14:46:24, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
  /var/log/samba/log.smbd
  [2014/10/15 14:46:24, 1] auth/auth_util.c:make_server_info_sam(589)
  User user1 in passdb, but getpwnam() fails!
  [2014/10/15 14:46:24, 0] auth/auth_sam.c:check_sam_security(353)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
  [2014/10/15 14:46:24, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
  pdb_get_group_sid: Failed to find Unix account for user1
  [2014/10/15 14:46:25, 1] auth/auth_util.c:make_server_info_sam(589)
  User user1 in passdb, but getpwnam() fails!

  Ok. So, I've been at Millikin for 12 years as a full-time employee now, and my account has existed for 14 years. Back when my account was first enabled for *nix stuff, we used the Unix tabs in ConsoleOne. This was the case with other coworkers who have been here for a while. We have had no problems logging into LDAP-enabled stuff (Novell Samba, SSH, etc.)
  Some of my more recent coworkers were enabled for *nix stuff using the LUM-enable process in iManager. Ever since we plugged the hole with our ldap proxy account, they have *not* been able to access LDAP-enabled stuff.
  And this has been driving me absolutely nuts, until I figured it out today.
  My clue to this was the LDAP users filter screen in YaST on one of our SLES boxes (it acts the same way on all of the SLES boxes though.)
  Basically, I noticed that when I accessed the screen anonymously, only some users had a username under the "name" column, but everyone had one under the "login" column. However, if I accessed it authenticatedly, everyone had both. Which was very curious to me, I mean - why would someone have a username and not others?
  I ended up playing around with an account, and found that the "Login" column is tied to the "uniqueID" attribute in LDAP, and the "Name" column is tied to the "CN" attribute.
  I accessed our LDAP servers via an anonymous connection in an LDAP browser, and found that for some reason, the "CN" attribute wasn't displayed for some folks, but it was others.
  So, I got to checking the "NDS Rights" tab in C1 for the different accounts, and found something very odd:
  For accounts that were set up for *nix "the old way" (through the Unix tab in C1,) the rights for [Public] were very simple:
  somple.png
  However, for folks who were "LUM-Enable"d through iManager, they were much more complex and odd:
  complex.png
  So, for whatever reason, when we LUM-enabled the accounts via iManager, it also added all of those random NDS ACL's. (I verified this by LUM-enabling an account that hadn't been enabled before, and it went from having the simple ACLs to these crazy complex ones. However, if I re-LUM-enable my account, it doesn't add those ACLs.)
  As soon as I removed the restrictive "CN" permission from an account, LDAP things work properly.
  The reason this went undiscovered for so long was because of the overly-generous ACL for our ldap anonymous proxy account - it had overridden the permissions for the CN attribute. When we fixed that security hole, then things that depended on an anonymous connection to access the CN attribute broke.

• LDAP(iPlanet & OID) Net Service Names

  Hi There,
  Is it possible to use iPlanet's LDAP for net service names lookup instaed of Oracle Names?
  Is there a way to extract the schema in OID and import into iPlanet ldap. If this could be done then NET8 should be able to connect to the directory server. Why I say this is: according to Oracle documentation, Net8 supports directory naming:
  "Service addresses and net service names can be stored in a Lightweight Directory Access Protocol (LDAP)-compliant directory server."
  Has anyone done this?.
  With the release of Orcale 9i Oracle is due to ship a product called Oracle Names LDAP Proxy. Is there any information on this product.
  All comments and suggestions are very welcome and appreciated
  Regards
  Pat Lehane

  Hi Jay,
  Thanks for the reply.
  I installed NET 8.1.7 and am trying to connect to iPlanet LDAP through NET8 Configuration Assitant to create an Oracle schema in the in the iPlanet Directory Server but I get an error as follows:
  configexception: Could not create Oracle schema:oracle.net.config.ConfigException
  You must update the schema from a computer which directly supports your type of directory
  There are still only three options in the directory server type in NET8 config assitant.
  Is there another way of creating the schema in iPlanet or is there some steps to be done in iPlanet first.
  Regards
  Pat

• PROXY. What optimisations are there?

  We have a fairly big installation of proxies and masters which I am testing at the moment. Using SLAMD.
  On a simple LDAP Auth test, I am seeing results that look like the following:
  LDAP client -> Proxy -> Master. 600ms+ when handling only 125 auths/sec.
  LDAP client -> Master (direct) 50ms when handling 250 auths/sec.
  The proxy is the vanilla proxy install. I intuitively feel that the proxy is posing a performance bottleneck, but I cannot locate enough documentation to enlighten myself any more than this...
  Anyone know of any proxy optimisations documented anywhere that can improve these type of performance numbers? Our masters are highly tuned, but there's no available information (so far) on how to tune the proxies... if it is possible....

  Hi,
  Could you please give LDAP proxy version number? Are u using 6.0 or 5.2 ?
  Implementation differ between 5.2 and 6.0, and perf optimisations are very different.
  Thanks
  -Sylvain

• SUN ONE Directory proxy Server on NT Server

  I want to use the sun one directory proxy server on a NT Server as a LDAP Proxy Server to my customised database running on an AIX box. During the installation of the proxy server (called idar 5.0 SP1) it fails indicating that the "the server configuration directory may not be running".
  IWhat am i missing? Is the ldap proxy server dependent on SUN's directory server.

  Hi,
  u need to have a Directory Server for the installation of the Directory Proxy Server, but not essentially the Sun ONE Directory Server itself.
  regards,
  raj

• Ldapsearch command against Directory Proxy server

  when performing an ldapsearch command against SunOne LDAP PROXY server v5.2, the following anomaly results. When the -h option is omitted, the search fails as per below:
  # ldapsearch -v -b "dc=wrs,dc=com" "uid=jgersh"
  =======
  When the -h option is used either FQ hostname or just hostname, the search is successful.
  #ldapsearch -h ala-proxyldap.wrs.com -v -b "dc=wrs,dc=com" "uid=jgersh"
  #ldapsearch -h ala-proxyldap -v -b "dc=wrs,dc=com" "uid=jgersh"

  I'm afraid I don't understand the problem. Where do you issue the ldapsearch command?
  If you use ldapsearch without -h option then it will use localhost per default, probably that's the reason?

• Directory Proxy Server Public API

  Where to find Directory Proxy Server (6 or 7) public API?
  Thank you

  Well, DPS is mainly a LDAP proxy, so upon reception of a bind, it will forward it to a LDAP directory server that would compare the credentials with the standard userPassword attribute.
  DPS can be also used OOTB as a Virtual Directory to provide a LDAP view of non-LDAP data, e.g a SQL database: In that case, DPS implements natively the bind operation, that is, it retrieve the user password from the SQL db, then compare
  it with the credentials provided by the client. In that case, the user password can be retrieved from any SQL column.
  So to achieve this with a LDAP backend, a DPS bind plugin would have to get the user password from the target LDAP entry and do the comparison. A secured channel between DPS and the backend would be required to exchange such sensitive pieces of information. Technically, this would work only if you plan to use LDAP for authentication only (bind only), because the backend LDAP directory server would not consider user entries w/o userPassword attribute as regular accounts (with associated access rights).
  Could you explain where you requirement comes from?
  Thanks
  -Sylvain

• Address Book Error

  "Your server is not configured properly or your search query has exceeded the limit. Please check server configuration." is shown when I click on the address book tab. Is this a known issue and patchable?
  There is no error in the directory server log and UWC log.
  All mail and calendar servers point to a directory server proxy which then talks to a single instance of directory server. The AM manager is also running on the directory server proxy host. Would this cause problem?
  Thanks

  Hi,
  When I first clicked on the "Address Book" tab, it
  still points to the directory proxy
  ldap://proxy.domain.com:389/piPStoreOwner=user,o=domai
  n,o=PiServerDb. I notice an error in the access log
  of the directory proxy. It reads
  <date time> - OPERATION - INFO - conn=18673 op=33
  SEARCH RESPONSE err=12 msg="The Server is not
  configured to pass through control
  1.2.840.113556.1.4.473" nentries=0 etime=0Suggest you ask on the directory server forum. I don't personally deal with directory proxy to any large extent. What I can tell you is that the OID appears to relate to:
  supportedControl: 1.2.840.113556.1.4.473 <--- LDAP Server Sort result control (Server side sorting)
  I change the defaultserver.ldaphost in
  /var/opt/SUNWuwc/WEB-INF/config/corp-dir/db_config.pro
  perties and
  /var/opt/SUNWuwc/WEB-INF/config/corp-dir/db_config.pro
  perties to point to the directory server directly. I
  restart the web server, the container for UWC after
  that.
  Everything seems to work fine except in the UWC log,
  psRoot is still pointing to
  ldap://proxy.domain.com:<proxy
  port>/piPStoreOwner=<user>,o=<domain>,o=PiServerDb.
  How can I correct this?Manually, you need to delete the users psRoot attribute using ldapmodify/commadmin or alike. The psRoot attribute will be recreated when you next connect to UWC and click on the addressbook tab. Remember that these settings are for the default values, if settings already exist they aren't over-written.
  Regards,
  Shane

• DPS6: Unable to retrieve a backend SEARCH connection to process the search

  I have installed and configured DPS 6 but I cannot get it to proxy through to our back-end Sun DS 5.2 servers. The error message I get is:
  Error while reading entry  [LDAP: error code 1 - Unable to retrieve a backend SEARCH connection to process the search request]As I am not familiar with the DP server I maybe making a simple mistake and would appreciate any pointers.
  Background:
  I have installed the DPS 6 on both a Windows 2000 SP4 server and on a Windows XP SP2 computer from the Sun Java Identity Management Suite v5 package.
  I installed DS Core Server, DS EE Command-line utilities, and DPS Core Server and I selected "Configure manually after installation".
  On the Win XP computer the installation path was:
                C:\Program Files\Sun\JavaES5I ran the following commands to set-up and configure the server:
       dpadm create -p 389 -P 636 C:\Program Files\Sun\JavaES5\ldap-proxy
       dpadm enable-service --type WIN_SERVICE C:\Program Files\Sun\JavaES5\ldap-proxy
       dpadm start C:\Program Files\Sun\JavaES5\ldap-proxy
       dpconf create-ldap-data-source Sun1 directory1.example.com:636
       dpconf create-ldap-data-source Sun2 directory2.example.com:636
       dpconf list-ldap-data-sources
         Sun1
         Sun2
       dpconf create-ldap-data-source-pool Sun_internal
       dpconf attach-ldap-data-source Sun_internal Sun1 Sun2
       dpconf list-attached-ldap-data-sources Sun_internal
         Sun1
         Sun2
       dpconf create-ldap-data-view Customer_data_r/w Sun_internal ou=Customers,dc=example,dc=com
       dpconf create-ldap-data-view Partner_data_r/w Sun_internal ou=Partners,dc=example,dc=com
       dpconf create-ldap-data-view Staff_data_r/w Sun_internal ou=Staff,dc=example,dc=com
       dpconf set-ldap-data-source-prop Sun1 is-enabled:true
       dpconf set-ldap-data-source-prop Sun2 is-enabled:true
       dpconf set-attached-ldap-data-source-prop Sun_internal Sun1 search-weight:100
       dpconf set-attached-ldap-data-source-prop Sun_internal Sun2 search-weight:200
       dpadm restart C:\Program Files\Sun\JavaES5\ldap-proxyI have now been scratching my head over this for several days, and I have installed and re-installed the server several times on the different computers. I have also had a problem registering the DPS with a remote DSCC; checking the cacaoadm I see:
       cacaoadm status
         default instance is ENABLED at system startup.
         default instance is not running.
       cacaoadm start
       cacaoadm status
         default instance is ENABLED at system startup.
         Current retries count : 1/4
         Processes:
         2452
         Cannot connect to agent: Unsupported protocol: jmxmp
       cacaoadm verify-configuration
         CONFIG ERROR   : Java Dynamic Management Kit home is not valid, Cannot locate [lib] inside [C:\DOCUME~1\ADMINI~1].Any help that can be given will be greatly appreciated; thanks

  Hi,
  The error message indicates (not very clearly I agree) that DPS could handled the request but could not contact the appropriate Directory Server (no connection).
  There are several possible reasons for this.
  First is directory1.example.com a valid fully qualified domain name on your machine. I.e. does this name resolve into an IP address ?
  Second the host:port used for directory1.example.com is 636 which is the default secure LDAP port. This implies that you probably wanted to have a secure connection between DPS and the Directory Servers.
  Well, dpconf has no way to specify that the port is intended to be a secure one. And will always consider that the port specified is the regular LDAP port. (I opened a bug about this and I hope it'll be fixed in 6.1).
  Secure connections and information must be configured afterward.
  To configure SSL between DPS and an ldap-data-source, please refer to the Administration Guide : <http://docs.sun.com/app/docs/doc/819-0995/6n3cq3b3q?a=view>
  As for the jmxmp issue, it looks like the JDMK component on Windows was not installed. Did you install it with an Administrative account ?
  Could you try to uninstall and re-install ?
  Regards,
  Ludovic.

• Problems Reading SSL  server socket  data stream using readByte()

  Hi I'm trying to read an SSL server socket stream using readByte(). I need to use readByte() because my program acts an LDAP proxy (receives LDAP messages from an LDAP client then passes them onto an actual LDAP server. It works fine with normal LDAP data streams but once an SSL data stream is introduced, readByte just hangs! Here is my code.....
  help!!! anyone?... anyone?
  1. SSL Socket is first read into  " InputStream input"
  public void     run()
            Authorization     auth = new Authorization();
            try     {
                 InputStream     input     =     client.getInputStream();
                 while     (true)
                 {     StandLdapCommand command;
                      try
                           command = new StandLdapCommand(input);
                           Authorization     t = command.get_auth();
                           if (t != null )
                                auth = t;
                      catch( SocketException e )
                      {     // If socket error, drop the connection
                           Message.Info( "Client connection closed: " + e );
                           close( e );
                           break;
                      catch( EOFException e )
                      {     // If socket error, drop the connection
                           Message.Info( "Client connection close: " + e );
                           close( e );
                           break;
                      catch( Exception e )
                           //Way too many of these to trace them!
                           Message.Error( "Command not processed due to exception");
                           close( e );
                                          break;
                                          //continue;
                      processor.processBefore(auth,     command);
                                  try
                                    Thread.sleep(40); //yield to other threads
                                  catch(InterruptedException ie) {}
            catch     (Exception e)
                 close(e);
  2 Then data is sent to an intermediate function 
  from this statement in the function above:   command = new StandLdapCommand(input);
       public StandLdapCommand(InputStream     in)     throws IOException
            message     =     LDAPMessage.receive(in);
            analyze();
  Then finally, the read function where it hangs at  "int tag = (int)din.readByte(); "
  public static LDAPMessage receive(InputStream is) throws IOException
      *  LDAP Message Format =
      *      1.  LBER_SEQUENCE                           --  1 byte
      *      2.  Length                                  --  variable length     = 3 + 4 + 5 ....
      *      3.  ID                                      --  variable length
      *      4.  LDAP_REQ_msg                            --  1 byte
      *      5.  Message specific structure              --  variable length
      DataInputStream din = new DataInputStream(is);
      int tag = public static LDAPMessage receive(InputStream is) throws IOException
      *  LDAP Message Format =
      *      1.  LBER_SEQUENCE                           --  1 byte
      *      2.  Length                                  --  variable length     = 3 + 4 + 5 ....
      *      3.  ID                                      --  variable length
      *      4.  LDAP_REQ_msg                            --  1 byte
      *      5.  Message specific structure              --  variable length
      DataInputStream din = new DataInputStream(is);
         int tag = (int)din.readByte();      // sequence tag// sequence tag
      ...

  I suspect you are actually getting an Exception and not tracing the cause properly and then doing a sleep and then getting another Exception. Never ever catch an exception without tracing what it actually is somewhere.
  Also I don't know what the sleep is supposed to be for. You will block in readByte() until something comes in, and that should be enough yielding for anybody. The sleep is just literally a waste of time.

• SSL connections blocking worker threads on DS 5.2 patch 4

  Hi,
  Is it normal for an idle SSL connection to consume a worker thread within the directory server?
  We have recently enabled SSL on a number of our directory servers (5.2 patch 4) and have run into problems with the server hanging. We have a number of application servers, each opening a pool of connections to the servers via JNDI. It seems that once 30 SSL connections have been established to a give LDAP server, the server will hang. By hang I mean the server is accepting TCP connections, but not responding to LDAP requests.
  The server can deal with a lot more than 30 non-ssl connections. I'm guessing that SSL connections need to maintain state, which is what is tying up the worker threads.
  Is this normal, and is it docuemented anywhere? Currently I'm looking at terminating the SSL connections on a load balancer in front of the LDAP servers, or perhaps on an LDAP proxy. Any other suggestions as to how this is typically dealt with?
  thanks,
  R

  Thank you Gautam.
  On further testing yesterday, we discovered that the problem is just as you have described. Our application servers are opening an initial pool of five connections, but typically only using one of those connections. The one connection the server uses to make an LDAP request behaves 'normally', not tying up a thread on the LDAP server. The other four sit there blocking a thread each, until eventually we hit the nsslapd-threadnumber.
  Based on that discovery, we're having the application changed so that its initial LDAP connection pool size is one, which appears to address the problem. That way connections are only established and added to the pool as they are required, resulting in well behaved connections to the LDAP server.
  Thanks for the quick reply... The Sunsolve note is helpful, as is the info about the nsslapd-ioblocktimeout parameter.
  kind regards,
  R