-
Bug
-
Resolution: Done
-
Blocker
-
2.0.0.Beta5
-
None
-
I'm going to resolve this against 2.0.5 although it may have been an early 2.0.x release. The related JBEAP issue is verified and the code for this is in sync between the branches so for the JBEAP to be fixed this one must be as well.
There are several InitialLdapContext resource leaks in LDAP related code in PicketBox.
The most critical is IMO leak in `LdapLoginModule.createLdapInitContext()` method. LDAP connections will stay open for customers who use administrators bind (i.e. java.naming.security.principal login module option for the Ldap login module).
The problematic code seems like:
InitialLdapContext ctx = null; try { //... ctx = new InitialLdapContext(env, null); if (PicketBoxLogger.LOGGER.isTraceEnabled()) { PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(ctx.toString()); } if (bindDN != null) { // Rebind the ctx to the bind dn/credentials for the roles searches PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(bindDN); env.setProperty(Context.SECURITY_PRINCIPAL, bindDN); env.put(Context.SECURITY_CREDENTIALS, bindCredential); ctx = new InitialLdapContext(env, null); } // ... } finally { // Close the context to release the connection if (ctx != null) ctx.close(); // ... }
The first constructed InitialLdapContext is not closed before creating the "admin context".
The other PicketBox classes which have weak handling of the InitialLdapContext are:
- LdapContextHandler
- LdapAttributeMappingProvider
- clones
-
-
- Closed
-
