SLOW AD auth, attribute lookup

Vishvjit Khalipe vishvjit at gmail.com
Sun Apr 13 11:41:32 EDT 2014 

Hello,

We use Shib Idp 2.3, KERBEROS login handler for auth with AD, LDAPDirectory
to look up attributes from AD.

For last few days we have been experiencing very slow response from AD
during auth & attribute lookup. Few days back it was <1 sec.
e.g.

   - it takes 10+ sec for auth


*07:51:19.278 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:88] -
Validating GSS token. Realm: <domain>07:51:28.421 - DEBUG
[ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:146] - GSS context created.*

   - 30+ sec for attribute lookup (usually not this bad but following was
   1st login after server restart)








*07:51:28.559 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with the
following parameters:07:51:28.559 - DEBUG [edu.vt.middleware.ldap.Ldap:194]
-   dn = DC=<host>,DC=com07:51:28.559 - DEBUG
[edu.vt.middleware.ldap.Ldap:195] -   filter =
(&(objectCategory=person)(objectClass=user)(|(userPrincipalName=<myusername>@<host>.COM)(sAMAccountName=<myusername>@<host>.COM)))07:51:28.560
- DEBUG [edu.vt.middleware.ldap.Ldap:196] -   filterArgs = []07:51:28.560 -
DEBUG [edu.vt.middleware.ldap.Ldap:197] -   searchControls =
javax.naming.directory.SearchControls at e3d481707:51:28.560 - DEBUG
[edu.vt.middleware.ldap.Ldap:198] -   handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 5947e54e,
edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler at 7f1f91ac,
edu.vt.middleware.ldap.handler.BinarySearchResultHandler at 7194f467]07:52:05.674
- DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414]
- LDAP data connector GlobalLDAP - Found the following attribute:
userPrincipalName[<myusername>@<host>.com]*

Tomorrow, we will be meeting with AD team to investigate this & know if
anything, changed in AD in last few days.

*Has anyone faced this issue before ? Can we give specific pointers to AD
team so that they can debug in right direction ? Thanks for your help.*

(*p.s. Currently we have not added derefAliases=never in attribute
resolver, login config but we plan to add it in next release. But, I am not
sure if it will make much difference because we had descent performance
from few days back.*)

-- 
Regards,
  Vish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140413/c9512a5f/attachment.html

More information about the users mailing list