Active Directory Connection Timeout

[Teresa Fasano]

Hi,
I configured an Idp v3 that uses two Active Directory for login and to 
retrieve the attributes.

The configuration of the jaas.config is
ldapUrl = "ldaps://dc1 ldaps://dc2

The configuration of the attribute-resolver.xml is
     <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
               ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
               baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
               principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
               validatorRef="shibboleth.NonFailFastValidator" >
         <FailoverDataConnector ref="failoverFakeConnector" />
         <FilterTemplate>
             <![CDATA[
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
         </FilterTemplate>
         <ConnectionPool
             minPoolSize="%{idp.pool.LDAP.minSize:3}"
             maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
             blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
             expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
     </DataConnector>

Finally, in the ldap.properties I have:
idp.authn.LDAP.ldapURL                          = ldaps://dc1 ldaps://dc2
idp.authn.LDAP.connectTimeout                   = 3000
idp.attribute.resolver.LDAP.connectTimeout      = 
%{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout     = 
%{idp.authn.LDAP.responseTimeout:PT3S}

We performed a test where the first dc1 was disconnected, making it 
unavailable and leaving only the dc2 active.
The test was used to verify whether authentication continued to work 
with dc2.
The result was that the authentication and the attribute release has 
become very slow (several minutes) because probably the idp check the 
connection of the first AD before to use the second one.

I have read that it is possible to use the connectTimeout = "3000" 
parameter in the jaas.config

Can you recommend a configuration to make fast authentication in case 
the first Active Directory is not available?
Thank you,
T.