LDAP and timeLimit Value

Ryan Tapp Ryan.Tapp at csulb.edu
Mon Nov 26 12:01:35 EST 2018 

Thanks Peter and Daniel.

Before I get to the specific details asked for, we’re fronting the IdP with httpd (using ajp with Tomcat 8.5.x).  Possible that 4 seconds is coming from some httpd mod/setting?  I’m checking that aspect this morning, because I agree...  must be coming from somewhere between the IdP and LDAP.  The AD LDS default timeout is 120 seconds, by the way.  If I strike out (again) I’ll be back with specific details.  I appreciate the help.

By the way, I found an old 2015 post where Dominique makes reference to “4 seconds” but I can’t tell where that applies in the thread.  Using ldapsearch on my IdP with no time out value sends the request with timeLimit = 0 in the packet.

http://shibboleth.1660669.n2.nabble.com/sporadic-user-authenication-issues-tp7611712p7611785.html

Ryan Tapp
California State University Long Beach

From: users <users-bounces at shibboleth.net> On Behalf Of Daniel Fisher
Sent: Saturday, November 24, 2018 8:05 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: LDAP and timeLimit Value

On Tue, Nov 20, 2018 at 1:08 PM Ryan Tapp <Ryan.Tapp at csulb.edu<mailto:Ryan.Tapp at csulb.edu>> wrote:
I’m still convinced the issue is ultimately with my new LDAP servers, but my question is about that 4 seconds… where is that coming from?

I'm confused by that as well. If you could list the entire configuration for each scenario we could figure it out.
I just want to note that responseTimeout is a client side setting, basically give up if you haven't gotten a response yet.
The timeLimit property requests that the server return whatever results it's accumulated in that time.
While it's a request property the server will also have a default value to prevent clients from running long searches.
I'd be surprised if your server has a default timeLimit of 4 seconds, as it's typically configured on the order of minutes, not seconds.
But that is a possibility.
(Note that the IDP configures a default timeLimit of 3 seconds, which still doesn't explain your 4 seconds.)

--Daniel Fisher

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181126/71507430/attachment.html>

More information about the users mailing list