sporadic user authenication issues
Rhian Resnick
rresnick at fau.edu
Tue Feb 17 20:24:59 EST 2015
Vince,
I think if I remember correctly it is was firewall and bigip tcp closing idle connections. Java is not informed of the tcp reset which results in users utilizing the effected pooled connections authentication to fail. I have learned this lesson twice at two different universities. You can detect the resets using tcpdump.
tcpdump -n -v 'tcp[tcpflags] & (tcp-rst) != 0'?
Check the tcp idle parameters in this document might help.
http://markgamache.blogspot.com/2010/12/tuning-f5-big-ip-performance-to-ruin.html
Rhian Resnick
Assistant Director Middleware and HPC
Office of Information Technology?
?Florida Atlantic University
777 Glades Road, CM22, Rm 218
Boca Raton, FL 33431
Phone 561.297.2647
Fax 561.297.0222
?<https://hpc.fau.edu/wp-content/uploads/2015/01/image.jpg>
________________________________
From: users-bounces at shibboleth.net <users-bounces at shibboleth.net> on behalf of Esquivel, Vince <Esquivelv at uhd.edu>
Sent: Tuesday, February 17, 2015 4:36 PM
To: Shib Users
Subject: RE: sporadic user authenication issues
Thank you Rhian
Any chance you can share what you had to adjust?
Vince
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Rhian Resnick
Sent: Tuesday, February 17, 2015 3:17 PM
To: Shib Users
Subject: RE: sporadic user authenication issues
We have had similar issues with cas and shibboleth. We needed to adjust the connection pooling in the bigip.
Rhian Resnick
Fau
Sent via the Samsung GALAXY S®4 Active(tm), an AT&T 4G LTE smartphone
-------- Original message --------
From: "Esquivel, Vince"
Date:02/17/2015 3:30 PM (GMT-05:00)
To: Shib Users
Subject: RE: sporadic user authenication issues
The LDAP sources are in an F5 load balancer pool, which we changed our configuration to point at. Is there a setting on the shibboleth config to increase this setting? Could the load balancer be the issue?
Thanks
Vince
From: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net] On Behalf Of IAM David Bantz
Sent: Tuesday, February 17, 2015 1:33 PM
To: Shib Users
Subject: Re: sporadic user authenication issues
On Tue, Feb 17, 2015 at 10:09 AM, Esquivel, Vince <Esquivelv at uhd.edu<mailto:Esquivelv at uhd.edu>> wrote:
LDAP: error code 3 - Timelimit Exceeded
The error in the quoted log messages is explicit:
LDAP: error code 3 - Timelimit Exceeded
That's AFTER authenticating the user with a bind with the user's submitted credentials,
and AFTER the IdP successfully bound to the ldap and searched for user's attributes.
After a few seconds, the directory aborted the ldap search for user's attributes with the timeout,
which is completely different from the message in previous post indicating incorrect password for the user.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20150218/1499cf73/attachment.html
More information about the users
mailing list