Extremely slow IdP login
Peter Schober
peter.schober at univie.ac.at
Thu Aug 2 07:11:23 EDT 2012
* Peter Gietz <peter.gietz at daasi.de> [2012-08-02 12:55]:
> Thanks a lot Peter for this remark, which leads me to the more
> general questions:
>
> Is the LDAP behaviour of the library used by the IdP documented so that
> we can attempt such a mimicking?
Start at "Advanced Configuration Options":
https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector
Under "Other Connection Properties" there's the link to the Sun and
VT-LDAP docs, e.g. http://code.google.com/p/vt-middleware/wiki/vtldapProperties
> Or even better: has anybody tried to do this mimicking with OpenLDAP
> ldapsearch command line tool already?
You can easily figure this out based on the defaults in the docs.
I had to do this once when OpenLDAP's ldapsearch would work fine
appearently but the IdP insisted that more than one entry was being
returned (aliases in play, obviously).
I'm not saying that this is how the problem will be found, I was just
questioning the reasoning in the aforementioned "deduction" based on
the default behaviour of some ldapsearch(1) implementation.
> We will have a second look with TCPdump anyway to proceed in our
> debugging.
/If/ you can disable TLS/SSL to the DS (which if course is not at all
advisable in most production environments) that's most likely to help
identify which side is to blame, since you'll be able to see exactly
who's sending what and when from the protocol messages (with the help
of e.g. Wireshark). But then YMMV,
-peter
More information about the users
mailing list