[keycloak-user] Frequent LDAP bind failed socket connection reset exceptions in Keycloak LDAP user federation

[Edgar Vonk - Info.nl]

Hi Marek,

We now start Keycloak with -Djdk.tls.client.protocols=TLSv1 and so far I have not seen the connection reset exceptions so hopefully this fixes it.

See: 
https://confluence.atlassian.com/display/JIRAKB/JIRA+Connection+reset+error+when+synchronising+with+Active+Directory+2012r2
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b6ffa278-4a04-4609-ac35-8390f5ba9cb6/ldap-over-ssl-on-windows-2012r2-server-dcs-tls-12-not-working?forum=winserversecurity

cheers

Edgar

> On 18 Feb 2016, at 09:59, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:
> 
> Thanks! However it does not seem to help in our case so I think it is something different in our situation..
> 
>> On 17 Feb 2016, at 21:33, Marek Posolda <mposolda at redhat.com> wrote:
>> 
>> Maybe try to start Keycloak with -Dhttps.protocols=SSLv3 ?
>> 
>> Some more details:
>> http://stackoverflow.com/questions/5507878/ssl-connection-reset
>> http://stackoverflow.com/questions/17458500/why-am-i-receiving-a-java-net-socketexception-connection-reset-error-from-web-s
>> 
>> Marek
>> 
>> On 17/02/16 09:57, Edgar Vonk - Info.nl wrote:
>>> hi,
>>> 
>>> We are getting frequent LDAP simple bind failed, socket exceptions, when communicating with our Active Directory server using the Keycloak user federation provider. The might very well be a problem on the AD side of things or perhaps in our network, but I was wondering if it might be something in Keycloak? We have not been able to narrow it down so far.
>>> 
>>> It happens quite often for example when manually synching users from AD to Keycloak but also for example when creating a new user from Keycloak to AD. When you try any such action again it always succeeds. It seems some sort of hiccup.
>>> 
>>> 09:08:23,080 ERROR [org.keycloak.services] LDAP Query failed
>>> org.keycloak.models.ModelException: LDAP Query failed
>>> 	at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:168)
>>> 	at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:175)
>>> 	at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:504)
>>> 
>>> [..]
>>> 
>>> Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery at 12228106
>>> 	at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:169)
>>> 	at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:164)
>>> 	... 54 more
>>> Caused by: javax.naming.CommunicationException: simple bind failed: ldap.hf.info.nl:636 [Root exception is java.net.SocketException: Connection reset]
>>> 	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
>>> 	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
>>> 	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
>>> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
>>> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
>>> 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
>>> 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
>>> 	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>> 	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
>>> 	at javax.naming.InitialContext.init(InitialContext.java:244)
>>> 	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
>>> 	at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473)
>>> 	at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:541)
>>> 	at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166)
>>> 	at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160)
>>> 	... 55 more
>>> Caused by: java.net.SocketException: Connection reset
>>> 	at java.net.SocketInputStream.read(SocketInputStream.java:209)
>>> 	at java.net.SocketInputStream.read(SocketInputStream.java:141)
>>> 	at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
>>> 	at sun.security.ssl.InputRecord.read(InputRecord.java:503)
>>> 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>>> 	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>>> 	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
>>> 	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
>>> 	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>> 	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>> 	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
>>> 	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
>>> 	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
>>> 	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
>>> 	... 69 more
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user