It's all about the answers!

Ask a question

RTC v4.0.2 + Tomcat7 + LDAP Connection Problem

Mamadou Diallo (31278) | asked Jul 18 '13, 11:05 a.m.
We intermittently experience connection timeouts from our Tomcat7 to our LDAP server. Somehow, most of the time this seems to be "benign." However, every now and then this causes the entire server to fail authenticating users, causing RTC to not be reachable until the next restart of the Tomcat service. Any help is appreciated.

Exception follows below:

Jul 18, 2013 9:27:31 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
Throwable occurred: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: [Root exception is connect timed out]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(
at org.apache.catalina.realm.JNDIRealm.getUser(
at org.apache.catalina.realm.JNDIRealm.getUser(
at org.apache.catalina.realm.JNDIRealm.authenticate(
at org.apache.catalina.realm.JNDIRealm.authenticate(
at org.apache.catalina.realm.CombinedRealm.authenticate(
at org.apache.catalina.realm.LockOutRealm.authenticate(
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
at org.apache.catalina.core.StandardHostValve.invoke(
at org.apache.catalina.valves.ErrorReportValve.invoke(
at org.apache.catalina.authenticator.SingleSignOn.invoke(
at org.apache.catalina.core.StandardEngineValve.invoke(
at org.apache.catalina.connector.CoyoteAdapter.service(
at org.apache.coyote.http11.AbstractHttp11Processor.process(
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(
at java.util.concurrent.ThreadPoolExecutor$
Caused by: javax.naming.CommunicationException: [Root exception is connect timed out]
at com.sun.jndi.ldap.LdapReferralContext.<init>(
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(
... 25 more
Caused by: connect timed out

4 answers

permanent link
Abraham Sweiss (2.4k1331) | answered Jul 18 '13, 11:46 a.m.
I beleive the parameter should be added to the server.xml.  See the following article for more details

permanent link
Abraham Sweiss (2.4k1331) | answered Jul 18 '13, 11:15 a.m.
The root cause for  these type of issues is with LDAP sending partial  responses or timing out requests, which causes havik on the Tomcat server.  To  enable Tomcat to handle these requests add the  adCompat=true  parameter to the TOmcat configuration

Mamadou Diallo commented Jul 18 '13, 11:21 a.m.

Thank you. The Tomcat server has lots of documents used in the configuration. Which one would I be changing and where do I add that additional parameter? 

permanent link
Ryan Hyde (112) | answered Sep 04 '14, 6:58 a.m.
edited Sep 04 '14, 7:02 a.m.
  1.  Open the server.xml file located in the ..\tomcat\config\ folder
  2. Find this section Realm className="org.apache.catalina.realm.JNDIRealm"
      • Ensure you are not in a commented out section before editing
  3. Add adCompat="true" immediately following Realm className="org.apache.catalina.realm.JNDIRealm".
  4. Restart tomcat for the changes to take effect.
IBM has also written a Technote regarding this.  Intermittent log in problems with RTC and LDAP 

permanent link
Philippe Krief (1056) | answered Apr 01 '15, 8:57 a.m.
Thanks a lot Ryan for your explanation. I had the same issue with RTC 502 and your suggestion seems to fix my issue!
I appreciate...

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.