Problems connecting from IdP to LDAP service
Daniel Fisher
dfisher at vt.edu
Tue Sep 20 18:35:35 BST 2011
On Tue, Sep 20, 2011 at 12:34 PM, Mark Cairney <Mark.Cairney at ed.ac.uk>wrote:
> Hi Daniel,
>
> >
> > Looks like a TimeLimitExceededException was thrown? Does your idp log
> > confirm that?
> >
> > --Daniel Fisher
> >
>
> That's what we were seeing on Shib 2.1.5. Looking more closely at the
> LDAP query it appeared to be attempting alias dereferencing which was
> slowing down the search considerably. We've worked around it by upping
> the connection timeout and reducing the scope to ONELEVEL.
>
> I suppose there's now 2 questions outstanding:
>
> 1. Is there any way to control this behaviour on the Shib side?
>
Yes, try adding the property java.naming.ldap.derefAliases=never
http://download.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
Pay attention to your search results, you may end up getting back multiple
entries in some cases.
2. On the LDAP side, why are these searches taking so long (7 seconds in
> one case)?
>
>
That's a tough question.
Try raising the debug log level in OpenLDAP and see what that tells you.
Also see http://www.openldap.org/doc/admin24/tuning.html
--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110920/33d25135/attachment.html
More information about the users
mailing list