<div dir="ltr"><div>Hi,<br><br>I have found possible PKI LDAP connections leak on access to /ca/rest/securityDomain/domainInfo url.<br><br></div><div>To reproduce<br></div><div><br># ss -ant state established sport = :636<br>Recv-Q Send-Q    Local Address:Port      Peer Address:Port <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57696">10.172.3.13:57696</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57692">10.172.3.13:57692</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57695">10.172.3.13:57695</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57690">10.172.3.13:57690</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57689">10.172.3.13:57689</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57693">10.172.3.13:57693</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57688">10.172.3.13:57688</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57691">10.172.3.13:57691</a> <br>0      0           <a href="http://10.172.3.13:636">10.172.3.13:636</a>        <a href="http://10.172.3.13:57687">10.172.3.13:57687</a> <br><br># ss -ant state established sport = :636 | wc -l<br>10<br><br># for ((i=0; i<256; i++)); do curl <a href="http://localhost/ca/rest/securityDomain/domainInfo">http://localhost/ca/rest/securityDomain/domainInfo</a> &>/dev/null; done<br><br># ss -ant state established sport = :636 | wc -l<br>266<br><br></div><div>Every request to /ca/rest/securityDomain/domainInfo url increases number on LDAP connections and produces the same message in debug log<br><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SessionContextInterceptor: Not authenticated.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: mapping: default<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: required auth methods: [*]<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: anonymous access allowed<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: SecurityDomainResource.getDomainInfo()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor.filter: no authorization required<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No ACL mapping; authz not required.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: content-type: null<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: accept: [*/*]<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: response format: application/xml<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating LdapBoundConnFactor(SecurityDomainProcessor)<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory: init <br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory:doCloning true<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init begins<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: prompt is internaldb<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: try getting from memory cache<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: got password from memory<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: password found for prompt.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: password ok: store in memory cache<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init ends<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before makeConnection errorIfDown is false<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection: errorIfDown false<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake happened<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP connection using basic authentication to host <a href="http://srv334.example.com">srv334.example.com</a> port 636 as cn=Directory Manager<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with mininum 3 and maximum 15 connections to host <a href="http://srv334.example.com">srv334.example.com</a> port 636, secure connection, true, authentication type 1<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum connections by 3<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available connections 3<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of connections 3<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In LdapBoundConnFactory::getConn()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is connected: true<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is connected true<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns now 2<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: name: Company LLC<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=<a href="http://srv333.example.com:8443">srv333.example.com:8443</a>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: <a href="http://srv333.example.com:8443">srv333.example.com:8443</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA <a href="http://srv333.example.com">srv333.example.com</a> 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: FALSE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: <a href="http://srv333.example.com">srv333.example.com</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=<a href="http://srv334.example.com:8443">srv334.example.com:8443</a>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: <a href="http://srv334.example.com:8443">srv334.example.com:8443</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: <a href="http://srv334.example.com">srv334.example.com</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA <a href="http://srv334.example.com">srv334.example.com</a> 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=<a href="http://srv335.example.com:8443">srv335.example.com:8443</a>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: <a href="http://srv335.example.com:8443">srv335.example.com:8443</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: <a href="http://srv335.example.com">srv335.example.com</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA <a href="http://srv335.example.com">srv335.example.com</a> 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: OCSP<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: KRA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: RA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TKS<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TPS<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap connection<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn: mNumConns now 3<br></div><div><br><br></div><div>At the same time requests to different urls does not increase the number of established LDAP connections.<br></div><div><br></div><div>Is it a bug or expected behavior?<br></div><div><br></div>Aleksey<br></div>