LDAP recovery?

[Paul B. Henson]

We have a hardware load balancer in front of multiple backend LDAP servers. When we do maintenance on one, we pull it out of the load balancer, which can cause failures on any existing persistent connections to that specific backend. Ever since I upgraded to 3.4, I've noticed errors like these in the logs when this happens:

net.shibboleth.idp.attribute.resolver.ResolutionException: Data        
Connector 'LDAP': Unable to execute LDAP search

Caused by: org.ldaptive.LdapException: javax.naming.NamingException:   
LDAP response read timed out, timeout used:3000ms.; remaining name              
'ou=user,dc=cpp,dc=edu

ERROR  
[net.shibboleth.idp.profile.impl.ResolveAttributes:314] - Profile Action        
ResolveAttributes: Error resolving attributes

WARN [net.shibboleth.idp.profile.logic.AbstractAttributePredicate:105] - No   
AttributeContext located for evaluation                                         


I don't remember seeing these before in the same scenario. It looks like when this occurs the idp simply fails the LDAP query and presumably whatever login transaction was attempted at that time? I would expect on an LDAP failure for it to try to reconnect to the LDAP server and reissue the query, which would work, as the reconnection would hit a different backend service to the load balancer that wasn't bound. I haven't received any complaints, but presumably people would just retry once or twice and it would work so we might not get any. In my interpreting this correctly as a failure, and if so, is there any way to get it to not fail and retry instead?

Thanks much...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768