Active Directory Connection Timeout

Nate Klingenstein ndk at sudonym.me
Fri Sep 7 13:41:22 EDT 2018 

Teresa,

Your configuration looks okay to me and I would expect a faster transaction
than several minutes.  Have you tried watching the IdP's idp-process.log to
see precisely where the waiting is happening?  Each log entry will have a
timestamp.

Take care,
Nate.

On Fri, Sep 7, 2018 at 11:38 AM, Teresa Fasano <t.fasano at cineca.it> wrote:

> Hi,
> I configured an Idp v3 that uses two Active Directory for login and to
> retrieve the attributes.
>
> The configuration of the jaas.config is
> ldapUrl = "ldaps://dc1 ldaps://dc2
>
> The configuration of the attribute-resolver.xml is
>     <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
>               ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
>               baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
>               principal="%{idp.attribute.resolver.LDAP.bindDN}"
> principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
> useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
> connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
> responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
>               validatorRef="shibboleth.NonFailFastValidator" >
>         <FailoverDataConnector ref="failoverFakeConnector" />
>         <FilterTemplate>
>             <![CDATA[
>                 %{idp.attribute.resolver.LDAP.searchFilter}
>             ]]>
>         </FilterTemplate>
>         <ConnectionPool
>             minPoolSize="%{idp.pool.LDAP.minSize:3}"
>             maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
>             blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
> validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
> validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
>             expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
> failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
>     </DataConnector>
>
> Finally, in the ldap.properties I have:
> idp.authn.LDAP.ldapURL                          = ldaps://dc1 ldaps://dc2
> idp.authn.LDAP.connectTimeout                   = 3000
> idp.attribute.resolver.LDAP.connectTimeout      =
> %{idp.authn.LDAP.connectTimeout:PT3S}
> idp.attribute.resolver.LDAP.responseTimeout     =
> %{idp.authn.LDAP.responseTimeout:PT3S}
>
> We performed a test where the first dc1 was disconnected, making it
> unavailable and leaving only the dc2 active.
> The test was used to verify whether authentication continued to work with
> dc2.
> The result was that the authentication and the attribute release has
> become very slow (several minutes) because probably the idp check the
> connection of the first AD before to use the second one.
>
> I have read that it is possible to use the connectTimeout = "3000"
> parameter in the jaas.config
>
> Can you recommend a configuration to make fast authentication in case the
> first Active Directory is not available?
> Thank you,
> T.
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180907/c227f44f/attachment.html>

More information about the users mailing list