This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP Connection waits

Hi,

Every IDP's got about + 6000 LDAP connection waits since last reboot, which was a week ago.

There is no connection wait aborted, current connection waits mention in online help I don't even have in NAM 5sp3 appliance.

But anyway, I suppose it's not good to have them, might be a reason to slow login.

But what is the best way to sort it, add a other ldap server or raise the amount of ldap treads in user store configuration?

Any thoughts?

/Lelle

  • 0  

    I have seen this before with a couple customers. In both cases, they had a load balancer in front of their LDAP servers and had configured NAM to point to the LDAP VIP. If this is your scenario, try configuring NAM to go directly against the LDAP servers rather than using the VIP to see if that resolves the issue. Also, make sure your ldapLoadThreshold is set to 600 as recommended in the Performance and Sizing Guidelines document. 

    Bryon 

  • 0 in reply to   

    Hi Bryon,

    Thanks for your reply, no LB in front of LDAP servers, and ldapLoadThreshold is set to 600 already.

    /Lelle

  • 0   in reply to 

    Are you seeing any errors like the following in your IDP catalinas?

    2022-01-05 19:36:26: LDAP servers at or above capacity. New user requests being rejected! Threshold: 600, Current Load: 630

    This is what the other customers first noticed (before noticing the connection waits climbing). The issue was definitely affecting logins for some users. You could try adding additional user store replicas but I don't think it is a load issue. We noticed the issue would only occur on a single IDP at a time, and the other IDPs remained healthy. Restarting the IDP service on the affected server cleared the issue.

  • 0 in reply to   

    Hi, no traces of that in catalina.out on any node

    /Lennart

  • 0   in reply to 

    That is good. In any case, LDAP connection waits should be 0 or very low, even in a busy production environment. If this is a consistent issue that you see after bouncing the IDP service, and if you start to see issues like rejected or slow logins, I'd probably open a case with Support to troubleshoot. Could be an issue with the IDP's LDAP connection code requiring analysis of LDAP traffic, netstat output, java thread dumps, etc.

  • 0 in reply to   

    Hi,

    Thanks, I probably have to do that.

    /Lelle

  • Suggested Answer

    0 in reply to 

    I can answer this myself, it was related to the local eDirectory got huge by creating +500 000 namid entry's from transient nameids that was treated as persistent ids and therefore added to local e-dir. After removing those, every thing is running fine.