LDAP and timeLimit Value

Ryan Tapp Ryan.Tapp at csulb.edu
Fri Nov 30 11:30:19 EST 2018


Scott's comment saved me from wasting time on that front.  At this point, I'd like feedback on my configuration because when looking at the packets I just can't account for that timeLimit value of 4.  Maybe something in my configuration will be glaringly obvious to others, it's always tracked pretty closely to default and I know that's bit some users on the list in the past.  I'm currently still using 389 for my testing.  I'm working on a follow-up post that will contain logs/packet capture information to illustrate more completely what I'm seeing.  Appreciate any feedback.

As a summary, my searchRequest that appears to be the one pulling back attributes is getting timeLimit: 4 regardless of the responseTimeout value for my data connector.  When I do a command line ldapSearch from the IdP box, I get timeLimit: 0 in my request.  When the ldap server is responsive, this value doesn't matter and I get my attributes back in less than a second.  When the search ends up taking more than 4 seconds for any reason, I get a timeLimitExceeded message back to the IdP (no attributes).

Lightweight Directory Access Protocol
    LDAPMessage searchRequest(2) "ou=Active,ou=People,dc=ldap,dc=example,dc=edu" wholeSubtree
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: ou=Active,ou=People,dc=ldap,dc=example,dc=edu
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 1
                timeLimit: 4
                typesOnly: False
                Filter: (uid=123456789)
                    filter: equalityMatch (3)
                        equalityMatch
                attributes: 0 items
        [Response In: 73]

Shibboleth IdP 3.4.1 (plus some randomly picked older 3.x versions)
RHEL 7.5
Java JDK 8u181 (and 8u191)
Tomcat 8.5.34 with httpd front-end
Also tested with Jetty 9.3.latest with no httpd front-end (direct)

ldap-authn-config.xml: default

ldap.properties:

idp.authn.LDAP.authenticator                    	= bindSearchAuthenticator

idp.authn.LDAP.ldapURL                          		= ldap://ldap.example.edu:389
idp.authn.LDAP.useStartTLS                      		= false
idp.authn.LDAP.useSSL                           		= false
idp.authn.LDAP.connectTimeout                   	= PT3S
idp.authn.LDAP.responseTimeout                  	= PT30S

idp.authn.LDAP.baseDN                           		= ou=Active,ou=People,dc=ldap,dc=example,dc=edu
idp.authn.LDAP.subtreeSearch                    	= false
idp.authn.LDAP.userFilter                       		= (cn={user})
idp.authn.LDAP.bindDN                           		= cn=bind_service_acct,ou=Users,ou=Infrastructure Support,dc=ldap,dc=example,dc=edu
idp.authn.LDAP.bindDNCredential                 	= secretpw

idp.attribute.resolver.LDAP.ldapURL             	= %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      	= %{idp.authn.LDAP.connectTimeout}
idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout}
idp.attribute.resolver.LDAP.baseDN              	= %{idp.authn.LDAP.baseDN}
idp.attribute.resolver.LDAP.bindDN              	= %{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential    	= %{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.useStartTLS         	= %{idp.authn.LDAP.useStartTLS}
idp.attribute.resolver.LDAP.trustCertificates   	= %{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter        	= (uid=$resolutionContext.principal)

idp.pool.LDAP.minSize                           		= 3
idp.pool.LDAP.maxSize                           		= 20
idp.pool.LDAP.validateOnCheckout                	= false
idp.pool.LDAP.validatePeriodically              	= true
idp.pool.LDAP.validatePeriod                    	= PT55S
idp.pool.LDAP.prunePeriod                       		= PT3M
idp.pool.LDAP.idleTime                          		= PT5M
idp.pool.LDAP.blockWaitTime                     	= PT3S
idp.pool.LDAP.failFastInitialize                		= false

attribute-resolver.xml

    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <dc:FilterTemplate>
            <![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </dc:FilterTemplate>
        <dc:ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize}"
            maxPoolSize="%{idp.pool.LDAP.maxSize}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod}"
            expirationTime="%{idp.pool.LDAP.idleTime}"
            failFastInitialize="%{idp.pool.LDAP.failFastInitialize}" />
    </resolver:DataConnector>

Ryan Tapp
California State University Long Beach

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Monday, November 26, 2018 9:23 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: LDAP and timeLimit Value

 
> Possible that 4 seconds is coming from some httpd mod/setting?

Totally impossible, they have nothing to do with each other.

-- Scott



-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to mailto:users-unsubscribe at shibboleth.net


More information about the users mailing list