-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
7u51
-
x86_64
-
linux_suse_sles_11
A DESCRIPTION OF THE REQUEST :
The current default values for LDAP connection pooling in JNDI are unsuitable for productive environments, because the JNDI default is to allow unlimited LDAP connections.
Unfortunately a lot of programmers forget to set proper values, before deploying productive JNDI/LDAP application.
These unlimited defaults lead to unnecessary operational problems, because the application will then open lots of TCP/LDAP connections to a directory server.
Unfortunately TCP connections are a limited ressource on both application server and LDAP server.
Since usually a lot of Java applicaitons server access limited number of LDAP servers, improper configuration will easily lead to problems.
Since most programmers aren't skilled in using JNDI properly, more conservative default JNDI pooling parameters would be of great operational help.
JUSTIFICATION :
Enterprise Java projects often use JNDI and eventually get the idea to turn on JNDI connection pooling, but then often forget to set up proper JNDI/LDAP pooling parameters in JNDI.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The defaults for JNDI connection pooling should be changed to non-unlimited values.
That way a careless project cannot cause trouble on central LDAP server hardware. Any project that actually needs "unlimited" JNDI pooling values on purpose, can easily set those unlimited values actively with the System Properties.
ACTUAL -
Especially on application servers when not limiting the JNDI connection pool configuration, the JNDI default values will be used (which unfortunately are "unlimited").
This leads to huge consumption of LDAP TCP Connections between deployed Java apps and an LDAP directory server, whithout the app actually needing all that connections.
TCP connections are a limited resource.
If the LDAP server has a server-side medium conn idle timeout or an Java application does lots of LDAP requests, the LDAP server eventually gets stalled quickly because of a single wrong configured application consuming most of its LDAP connections (several thousands). This leads to a lot of unnecessary administrative problems.
---------- BEGIN SOURCE ----------
see http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
Problem is the following defaults:
com.sun.jndi.ldap.connect.pool.maxsize: default: unlimited
com.sun.jndi.ldap.connect.pool.prefsize: default: unlimited
com.sun.jndi.ldap.connect.pool.timeout: default: none
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Please change the conn pooling defaults in JRE/JDK to more defensive values, such that if someone does not specifically set the limits, Java will use non-unlimited defaults:
Requesting:
com.sun.jndi.ldap.connect.pool.maxsize:
please default to: "20" instead of "unlimited"
com.sun.jndi.ldap.connect.pool.prefsize:
please default to: "1" instead of "unlimited"
com.sun.jndi.ldap.connect.pool.timeout:
please default to: "600000"=10min" instead of "none"
This will lower the risk of improper JNDI configurations and the risk of JNDI bugs in applications (e.g. forgetting to close contexts)
The current default values for LDAP connection pooling in JNDI are unsuitable for productive environments, because the JNDI default is to allow unlimited LDAP connections.
Unfortunately a lot of programmers forget to set proper values, before deploying productive JNDI/LDAP application.
These unlimited defaults lead to unnecessary operational problems, because the application will then open lots of TCP/LDAP connections to a directory server.
Unfortunately TCP connections are a limited ressource on both application server and LDAP server.
Since usually a lot of Java applicaitons server access limited number of LDAP servers, improper configuration will easily lead to problems.
Since most programmers aren't skilled in using JNDI properly, more conservative default JNDI pooling parameters would be of great operational help.
JUSTIFICATION :
Enterprise Java projects often use JNDI and eventually get the idea to turn on JNDI connection pooling, but then often forget to set up proper JNDI/LDAP pooling parameters in JNDI.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The defaults for JNDI connection pooling should be changed to non-unlimited values.
That way a careless project cannot cause trouble on central LDAP server hardware. Any project that actually needs "unlimited" JNDI pooling values on purpose, can easily set those unlimited values actively with the System Properties.
ACTUAL -
Especially on application servers when not limiting the JNDI connection pool configuration, the JNDI default values will be used (which unfortunately are "unlimited").
This leads to huge consumption of LDAP TCP Connections between deployed Java apps and an LDAP directory server, whithout the app actually needing all that connections.
TCP connections are a limited resource.
If the LDAP server has a server-side medium conn idle timeout or an Java application does lots of LDAP requests, the LDAP server eventually gets stalled quickly because of a single wrong configured application consuming most of its LDAP connections (several thousands). This leads to a lot of unnecessary administrative problems.
---------- BEGIN SOURCE ----------
see http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
Problem is the following defaults:
com.sun.jndi.ldap.connect.pool.maxsize: default: unlimited
com.sun.jndi.ldap.connect.pool.prefsize: default: unlimited
com.sun.jndi.ldap.connect.pool.timeout: default: none
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Please change the conn pooling defaults in JRE/JDK to more defensive values, such that if someone does not specifically set the limits, Java will use non-unlimited defaults:
Requesting:
com.sun.jndi.ldap.connect.pool.maxsize:
please default to: "20" instead of "unlimited"
com.sun.jndi.ldap.connect.pool.prefsize:
please default to: "1" instead of "unlimited"
com.sun.jndi.ldap.connect.pool.timeout:
please default to: "600000"=10min" instead of "none"
This will lower the risk of improper JNDI configurations and the risk of JNDI bugs in applications (e.g. forgetting to close contexts)