Skip to main content
George____
George____
Inspiring
March 25, 2021
Question

CFLDAP timeout not working and JNDI.properties

  • March 25, 2021
  • 2 replies
  • 2107 views

How can I set the "com.sun.jndi.ldap.read.timeout" value, or otherwise get a CFLDAP call to properly timeout.

 

I have an Active Directory (AD) server that I'm making CFLDAP calls to.   Randomly the calls will hang for approximately 900 seconds.  The AD server admins say they don't see any issues on their end, but the 900 seconds does correspond to a default MaxConnIdleTime setting on the AD server.   In FusionReactor it will show that it's stuck on "java.net.SocketInputStream.socketRead0"

 

This page matches with the issue I'm seeing:  java.net.socketinputstream.socketread0 Problem patterns 

 

According to the various pages I've found on this issue I need to set the "com.sun.jndi.ldap.read.timeout" value.   I've tried setting this in the jvm.config, but I found web pages that say you can't set it there.  That it needs to be set in the jndi.properties file.  All of the web pages I find for ColdFusion and jndi.properties are from CF9 and older, those paths appear to no longer be valid.    I've tried JAVA_HOME\lib and runtime\lib.   Neither worked, but I'm not sure how to verify that the jndi.properties file is even being loaded.

 

I also tried setting it on the calling page with

<cfset system = createObject("java", "java.lang.System")>

<cfset system.setProperty("com.sun.jndi.ldap.read.timeout","1000")>

but that doesn't appear to work, when I do system.getProperties() I can see it set there, but I suspect I'm not setting it right in the first place.

 

I do have the timeout value set on the cfldap call, and if I set it for a couple milliseconds I can force timeouts.   The timeout value is being ignored though for these random hangs.   The issue isn't with the specific LDAP call, because the exact same call reran will work fine.

 

I'm open to any suggestions anyone has for preventing the CFLDAP call getting stuck on "java.net.SocketInputStream.socketRead0"

This topic has been closed for replies.

2 replies

Charlie Arehart
Charlie Arehart
Community Expert
March 29, 2021

George, I have not hit this problem (and can't recreate it), but I have a couple of suggestions that may work for you.

 

1) First, you say you "tried setting this in the jvm.config, but I found web pages that say you can't set it there." So first, how did you try to set it? According to this page on ldap/jndi configuration, it does discuss that particular timeout and later in the doc it shows you CAN set such jndi.ldap settings there. It shows an example of setting other related ones. Is this what you tried?

-Dcom.sun.jndi.ldap.read.timeout=1000

 

(BTW, note also that the doc I shared indicates that this timeout is in milliseconds, so 1000 would be only 1 second. Is that what you were wanting? I might suggest giving it at least a few seconds, as things can happen on any server randomly to slow it down a little, even an ldap server.)

 

2) And are you saying you added that to the java-args in the jvm.config file of the instance in which you were trying things? I'd recommend you try it there rather than in the CF Admin itself, because if you make any mistake you may find CF would not come up (and you could not then see the Admin to correct your mistake).

 

On the other hand, you COULD use the CF Admin as a checkpoint after you make the above change and restart CF. Then in the admin it SHOULD show put in the java args textarea on the CF Admin "java and jvm" page. If you somehow do NOT see it there, then you are NOT editing the right jvm.config. (If you are running an instance of CF, be sure to edit the one in the instance's bin/jvm.config, rather than the cfusion/jvm.config, for example.)

 

3) You say also that you tried to set this in a jndi.proporties file, but you were stumped as to where to put the file. You said you "tried JAVA_HOME\lib and runtime\lib". Can you be more specific? Those can be translated into various locations (by you or by us reading your words), and there are indeed various lib folders within CF. 🙂

 

More specifically, did you try it in the cfusion/lib folder, right under your main CF folder? Or if you are running an instance, then its sibling instancename/lib folder? Those are the folders where one would modify the various jars related to JDBC drivers that CF loads, for instance).

 

And then you restarted CF, and then did your test, and it didn't help? There could be still other reasons the properties file didn't work, if indeed you did put it there. (The Java doc I linked to made no mention of a jndi.properties file.)

 

So I am inclined to think that the first approach above should work.

 

4) Finally, you mention how the cfldap timeout attribute did not help. I will note  that this has been a problem also with cfquery's timeout, cfhttp's timeout, and so on. Folks find that it "doesn't work". I think the problem is in what the timeout is intending to do (but the CF docs are not as clear as they could be).

 

Again, if you look at that Java document I linked to, you will see that besides the read.timeout you are trying to set, there is a VERY similar-looking com.sun.jndi.ldap.connect.timeout, which controls how long the JVM should be willing to wait to obtain a connection to the jndi server. I suspect you're getting a quick connection, but then you are not getting any response.

 

And I won't be surprised if the CFLDAP timeout is instead just about a connection timeout (setting connect.timeout) rather than a response timeout (read.timeout).

 

So let us know if you can try the options above and if this gets you going (and I hope you may try it before writing a tracker ticket to Adobe. The more info you have, the more useful that ticket would be for Adobe and future readers).

/Charlie (troubleshooter, carehart. org)
BKBK
BKBK
Community Expert
March 29, 2021

@Charlie Arehart : 

 

-Dcom.sun.jndi.ldap.read.timeout=1000

 

Charlie, @George____ tried that and it didn't work. Not surprisingly. The above flag applies to a JVM system-wide setting. Whereas, what we're looking looking for is a  timeout setting specifically for the LDAP environment.

 

@George____ : I'd prefer to stick with Coldfusion instead of rewriting everything as Java code

 

Fair enough. Let's go back to the very beginning of this discussion. 

 

The setting com.sun.jndi.ldap.read.timeout=1000 has more or less the same effect as <cfldap timeout="1000">. However, you say that <cfldap timeout="1000"> doesn't have the desired effect. So, what about omitting the attribute altogether? That will force ColdFusion to use the default value, namely, 5000 milliseconds.

 

Suppose that that still doesn't work. Another thought follows.

 

You say the server's MaxConnIdleTime does have the desired effect. But it times the connection out after a long 900 000 milliseconds.

 

This suggests that the timeout we should be thinking of is the connection-timeout, not the read-timeout.

 

@George____ : I might have to go that [Java code] route if I'm unable to find the proper place to put the jndi.properties file.

 

Then probably the proper place  to put the JNDI properties is /cfusion/runtime/conf/server.xml: as an implementation of JNDI Directory Realm (org.apache.catalina.realm.JNDIRealm) in Tomcat.

Charlie Arehart
Charlie Arehart
Community Expert
March 29, 2021

I disagree with much you have said here, BKBK. But to save everyone's sanity and time I'm not going to bother to address each point. I stand by what I said (which also detailed WHY I said it and why it seems correct).

 

And I still think the answer is there: either a) in putting in the specific jvm arg I offered (he does not say yet he tried that, specifically) or b) in putting the jndi.properties in the cfusion/lib folder...not any of the others named.

 

Again, it strikes me this is NOT a connection timeout but instead a read timeout. BKBK, if you really might want to contend with what I said, please read all I wrote carefully. Too much of what you say reads as if you did not.  But this may be another one of those topics on which we will simply be butting heads.

 

George, I know you said you're hands-off the server. I hope you will please report if and when you can have your server Admin try the specific things I proposed.

/Charlie (troubleshooter, carehart. org)
BKBK
BKBK
Community Expert
March 27, 2021

I think it is incorrect to set it as an environment property of your operating system. As far as I know, "com.sun.jndi.ldap.read.timeout" pertains to the custom environment that you yourself create for LDAP authentication. 

 

The relevant part of the Java code is:

 

// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();

// Set up the properties of the environment
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put("com.sun.jndi.ldap.read.timeout", "1000");
env.put(Context.PROVIDER_URL, "ldap://localhost:2001");

 

See the LDAP Simple.java example

George____
George____Author
Inspiring
March 29, 2021

Thanks for the response.  I'd prefer to stick with Coldfusion instead of rewriting everything as Java code, but I might have to go that route if I'm unable to find the proper place to put the jndi.properties file.

 

Looks like someone reported this as a bug against Lucee back in 2018.   I'll do the same on adobe's site.  https://luceeserver.atlassian.net/browse/LDEV-1860 

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices