LDAP and timeLimit Value
Ryan Tapp
Ryan.Tapp at csulb.edu
Fri Nov 30 11:30:19 EST 2018
Scott's comment saved me from wasting time on that front. At this point, I'd like feedback on my configuration because when looking at the packets I just can't account for that timeLimit value of 4. Maybe something in my configuration will be glaringly obvious to others, it's always tracked pretty closely to default and I know that's bit some users on the list in the past. I'm currently still using 389 for my testing. I'm working on a follow-up post that will contain logs/packet capture information to illustrate more completely what I'm seeing. Appreciate any feedback.
As a summary, my searchRequest that appears to be the one pulling back attributes is getting timeLimit: 4 regardless of the responseTimeout value for my data connector. When I do a command line ldapSearch from the IdP box, I get timeLimit: 0 in my request. When the ldap server is responsive, this value doesn't matter and I get my attributes back in less than a second. When the search ends up taking more than 4 seconds for any reason, I get a timeLimitExceeded message back to the IdP (no attributes).
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "ou=Active,ou=People,dc=ldap,dc=example,dc=edu" wholeSubtree
messageID: 2
protocolOp: searchRequest (3)
searchRequest
baseObject: ou=Active,ou=People,dc=ldap,dc=example,dc=edu
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 1
timeLimit: 4
typesOnly: False
Filter: (uid=123456789)
filter: equalityMatch (3)
equalityMatch
attributes: 0 items
[Response In: 73]
Shibboleth IdP 3.4.1 (plus some randomly picked older 3.x versions)
RHEL 7.5
Java JDK 8u181 (and 8u191)
Tomcat 8.5.34 with httpd front-end
Also tested with Jetty 9.3.latest with no httpd front-end (direct)
ldap-authn-config.xml: default
ldap.properties:
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://ldap.example.edu:389
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = false
idp.authn.LDAP.connectTimeout = PT3S
idp.authn.LDAP.responseTimeout = PT30S
idp.authn.LDAP.baseDN = ou=Active,ou=People,dc=ldap,dc=example,dc=edu
idp.authn.LDAP.subtreeSearch = false
idp.authn.LDAP.userFilter = (cn={user})
idp.authn.LDAP.bindDN = cn=bind_service_acct,ou=Users,ou=Infrastructure Support,dc=ldap,dc=example,dc=edu
idp.authn.LDAP.bindDNCredential = secretpw
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout}
idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS}
idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal)
idp.pool.LDAP.minSize = 3
idp.pool.LDAP.maxSize = 20
idp.pool.LDAP.validateOnCheckout = false
idp.pool.LDAP.validatePeriodically = true
idp.pool.LDAP.validatePeriod = PT55S
idp.pool.LDAP.prunePeriod = PT3M
idp.pool.LDAP.idleTime = PT5M
idp.pool.LDAP.blockWaitTime = PT3S
idp.pool.LDAP.failFastInitialize = false
attribute-resolver.xml
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<dc:FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</dc:FilterTemplate>
<dc:ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize}"
maxPoolSize="%{idp.pool.LDAP.maxSize}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod}"
expirationTime="%{idp.pool.LDAP.idleTime}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize}" />
</resolver:DataConnector>
Ryan Tapp
California State University Long Beach
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Monday, November 26, 2018 9:23 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: LDAP and timeLimit Value
> Possible that 4 seconds is coming from some httpd mod/setting?
Totally impossible, they have nothing to do with each other.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to mailto:users-unsubscribe at shibboleth.net
More information about the users
mailing list