IdP use of LDAP and connection pooling

Eric Goodman ericg at
Thu Sep 8 22:07:20 BST 2011

On Sep 8, 2011, at 1:33 PM, Cantor, Scott wrote:
> On 9/8/11 4:27 PM, "Eric Goodman" <ericg at> wrote:
>> This was with an older version of the IdP (2.1.5, right around when
>> vt-ldap was first added).
>> Due to an unrelated PeopleSoft LDAP-handling bug, we ended up lowering
>> the idle timeout on out IdP to on the order of 2 minutes. This
>> effectively made the LB timeout handling a non issue.
> Which idle timeout are you referring to, if you don¹t mind?

Yeah, that was a typo. I almost replied to my own message to correct but didn't want to clutter the list if no one cared. 

The timeout was really the LDAP server's base idle session timeout. 

PeopleSoft has (had?) a known bug where it creates lots and lots of orphan LDAP sessions. The suggested workaround was to reduce the idle timeout on LDAP sessions at the LDAP server. So this particular bug really had nothing to do with Shibboleth except that it's the same LDAP server that Shibboleth queries. 

The rest was just trying to say that since making the change (and finally upgrading to 2.3.3, yay!) we haven't noticed any performance issues on the IdP.

--- Eric

Eric Goodman
ericg at

More information about the users mailing list