Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-16718

Improve LDAP reliability by retrying if the connection fails

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: 5.9.0, 5.10.0, 5.11.0
    • Fix Version/s: None
    • Component/s: LDAP

      Description

      1. When the configuration specifies an LDAP URL that uses a DNS name with multiple IP addresses, continue trying the other IPs if the first one fails or times out, instead of simply denying access (which causes builds to fail).
      2. Even if the LDAP URL uses a DNS name with only one IP address, it would still be helpful to retry the connection in case of a temporary network issue or LDAP server performance problem.  Ideally the timeout/retry behavior would be configurable.

      Example:

      ldap://ldap.americas.mycompany.com:389

      Where DNS name ldap.americas.mycompany.com returns multiple IP addresses like:

      192.168.23.56

      192.168.11.101

      192.168.40.99

      Currently, Artifactory will try to connect to the first IP, but if that LDAP server is down, unresponsive, or unreachable, it appears that the authentication request is failed right away without retrying, even if the other LDAP server IPs are alive and well.  This will typically result in seemingly random build failures when one of the LDAP servers is offline.  For instance: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project

      Reliability could be improved by trying, in sequence, each of the IP addresses returned by DNS until a responsive server is found, and/or including a configurable retry/timeout mechanism.

      Granted, there are some potential workarounds, such as creating a separate LDAP configuration in Artifactory for each LDAP server IP, or using a GSLB, or a floating IP for LDAP, but many other tools and services automatically try to connect to each IP returned by DNS so that is the behavior that many users expect.

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ken.martindale Ken Martindale
            • Votes:
              4 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: