Ldap connector DAP_TIMELIMIT_EXCEEDED

cneberg cneberg at gmail.com
Wed Apr 10 11:16:28 EDT 2019


>If you're seeing timeLimitExceeded then you're likely processing an empty result set. Check your logs to confirm.

Yes, I believe that is what is happening.    Since there was an error
I'd like it to retry, preferably to a different ldap server in the
list and if that fails -  return an error to the user.      If there
is an ldap error I don't think it makes sense to treat it the same as
the user not being in ldap.

On Tue, Apr 9, 2019 at 10:21 PM Daniel Fisher <dfisher at vt.edu> wrote:
>
> On Tue, Apr 9, 2019 at 3:03 PM cneberg <cneberg at gmail.com> wrote:
>>
>> What is the expected behavior of the ldap data connector on the lasted
>> IDP when the ldap server returns 3 LDAP_TIMELIMIT_EXCEEDED?
>
>
> The IDP will process whatever results it has received, that's typically none since most searches are looking for a single entry.
>
>>
>> One of my upstream ldap servers is over burdened and it appears some
>> users who should be found in ldap are not.   Then it seems to continue
>> their sso session with no attributes.
>
>
> If you're seeing timeLimitExceeded then you're likely processing an empty result set. Check your logs to confirm.
>
> --Daniel Fisher
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list