Strange warnings from IdP 3.2.1

Domingues, Michael D michael-domingues at uiowa.edu
Wed Apr 27 09:04:50 EDT 2016 

Having looked at my configuration, that was the only change I had to make, though in my environment, it was 60 seconds that did the trick. Obviously, the ideal time will be site specific, depending upon what infrastructure you're dealing with. In my case, I had to deal with the interaction of the load-balancer timeout at five minutes, LDAP server timeout of never-used connections at two minutes, and the fact that when a connection pool is initialized, the constituent connections get tested on first use (or checkout) rather than on creation.

Best,
Michael

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Gerd Schering
Sent: Wednesday, April 27, 2016 7:58 AM
To: users at shibboleth.net
Subject: Re: Strange warnings from IdP 3.2.1

Hello Michael,

that seems to be the good idea! I set idp.pool.LDAP.validatePeriod = 20 and the warnings vanished. But 20 s seems very short to me, so I think I will contact our network staff.

Thanks a lot. If you made any other configuration changes to help this issue, please let me know.

Best,
Gerd

On 27.04.2016 14:14, Domingues, Michael D wrote:
>
> Sent that last message a bit too soon. As an explanatory follow up, while I was building out our IdPv3 clusters, I encountered that error when connections to our LDAP environment were getting killed by our F5 load balancer due to inactivity.
>
> I don't remember the specific configuration change I made off-hand, but it involved dropping the verification query interval to less than the load balancer's keep-alive window. Will follow-up with details once I get into the office, unless someone else chimes in before then.
>
> Michael
> ________________________________________
> From: Domingues, Michael D
> Sent: Wednesday, April 27, 2016 7:05:43 AM
> To: Shib Users
> Subject: Re: Strange warnings from IdP 3.2.1
>
> Hello Gerd,
>
> What is the default timeout on an inactive connection to your LDAP server? Also, is there a load-balancing device in front of your LDAP server(s) by any chance?
>
> Best,
> Michael Domingues
> Directory and Authentication Services, AIS, ITS University of Iowa 
> ________________________________________
> From: users <users-bounces at shibboleth.net> on behalf of Gerd Schering 
> <gerd.schering at tu-berlin.de>
> Sent: Wednesday, April 27, 2016 6:36:06 AM
> To: Shib Users
> Subject: Strange warnings from IdP 3.2.1
>
> Hi,
>
> I'm using a fresh install of IdP 3.2.1.
> Everything is working, but I get strange warnings in the idp-warn/process.logs:
>
> 2016-04-27 13:17:28,748 - WARN
> [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - 
> Operation exception encountered, reopening connection
> 2016-04-27 13:17:28,810 - WARN
> [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - 
> Operation exception encountered, reopening connection
> 2016-04-27 13:17:28,860 - WARN
> [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - 
> Operation exception encountered, reopening connection
> 2016-04-27 13:17:29,015 - WARN
> [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - 
> Operation exception encountered, reopening connection
> 2016-04-27 13:17:29,073 - WARN
> [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - 
> Operation exception encountered, reopening connection
> 2016-04-27 13:17:29,120 - WARN
> [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - 
> Operation exception encountered, reopening connection
>
> Each time that happens, exactly 6 messages. I could figure out that 
> the time interval between subsequent warnings gets controlled by the 
> idp.pool.LDAP.validatePeriod parameter, set in ldap.properties.
>
> Such warnings were an issue in version 3.1 of the IdP.
> But as said, I use version 3.2.1 and it is a fresh install not an upgrade.
> By the way, the staus page of the IdP says:
> DataConnector myLDAP: has never failed.
>
> Any hints will be appreciated,
> Gerd
>
> --
> ------------------------------------------------------
> -- Gerd Schering, Email: Schering at tubit.TU-Berlin.DE--
> ------------------------------------------------------
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
>


--
------------------------------------------------------
-- Gerd Schering, Email: Schering at tubit.TU-Berlin.DE--
-- TU Berlin, tubIT IT-Service-Center               --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin      --
-- phone: +49 30 314 24383, fax: +49 30 314 21060   --
------------------------------------------------------
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list