SLOW AD auth, attribute lookup

Douglas E Engert deengert at gmail.com
Tue Apr 15 09:56:06 EDT 2014 


On 4/13/2014 10:41 AM, Vishvjit Khalipe wrote:
> Hello,
>
> We use Shib Idp 2.3, KERBEROS login handler for auth with AD, LDAPDirectory to look up attributes from AD.
>
> For last few days we have been experiencing very slow response from AD during auth & attribute lookup. Few days back it was <1 sec.
> e.g.
>
>   * it takes 10+ sec for auth
>
> /07:51:19.278 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:88] - Validating GSS token. Realm: <domain>
> 07:51:28.421 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:146] - GSS context created./
>
>   * 30+ sec for attribute lookup (usually not this bad but following was 1st login after server restart)
>
> /07:51:28.559 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with the following parameters:
> 07:51:28.559 - DEBUG [edu.vt.middleware.ldap.Ldap:194] -   dn = DC=<host>,DC=com
> 07:51:28.559 - DEBUG [edu.vt.middleware.ldap.Ldap:195] -   filter = (&(objectCategory=person)(objectClass=user)(|(userPrincipalName=<myusername>@<host>.COM)(sAMAccountName=<myusername>@<host>.COM)))
> 07:51:28.560 - DEBUG [edu.vt.middleware.ldap.Ldap:196] -   filterArgs = []
> 07:51:28.560 - DEBUG [edu.vt.middleware.ldap.Ldap:197] -   searchControls = javax.naming.directory.SearchControls at e3d4817
> 07:51:28.560 - DEBUG [edu.vt.middleware.ldap.Ldap:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 5947e54e,
> edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler at 7f1f91ac, edu.vt.middleware.ldap.handler.BinarySearchResultHandler at 7194f467]
> 07:52:05.674 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector GlobalLDAP - Found the following attribute:
> userPrincipalName[<myusername>@<host>.com]
> /
>
> Tomorrow, we will be meeting with AD team to investigate this & know if anything, changed in AD in last few days.

Is this in a AD forest? You might be getting referrals to a DC that is not operating.

https://wiki.shibboleth.net/confluence/display/SHIB2/LdapServerIssues#LdapServerIssues-Referrals

(You might get more information using TRACE rather then DEBUG.)

>
> *Has anyone faced this issue before ? Can we give specific pointers to AD team so that they can debug in right direction ? Thanks for your help.*
>
> (/p.s. Currently we have not added derefAliases=never in attribute resolver, login config but we plan to add it in next release. But, I am not sure if it will make much difference because we had
> descent performance from few days back./)
>
> --
> Regards,
>    Vish
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the users mailing list