Anonymous_User Absent Member.
Absent Member.
184 views

Timeout on ldap connection


Hello,

We have an application that coonnects to eDirectory to authenticate
users and retrieve some information about user.

Currently, the application is being tested, here are the steps:
1.connection to eDirectory with a service account
2.search for a user: ldap filter contains object class and user uid, the
search returns the dn
3.a bind is done with the retrieved dn
4.a search is done on some attributes

The three first steps work all the time but for the fourth one an ldap
connection timeout is returned sometimes.

Here are the logs from iMonitor, problem occurs at 15:03:30:

http://pastebin.com/5A63rN3j


--
moularbi
------------------------------------------------------------------------
moularbi's Profile: https://forums.netiq.com/member.php?userid=1196
View this thread: https://forums.netiq.com/showthread.php?t=49141

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Timeout on ldap connection

It would help if you could post a trace of a failure. This one does not
seem to have any problems.

The query at 15:03:30 is searching based on the objectClass and uSERLOGIN
attributes so ensuring this server has a value index for each attribute
may help in case the query ever runs long. The query request, though,
does not define a timeout limit so I do not see any reason that it would
timeout. If there is a timeout, it is possibly coming from the server
configuration, which you can modify on the LDAP Server (or maybe LDAP
Group) object.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Timeout on ldap connection


The failure happens when we make a second search on other attributes
(starting at line 189)

Here are the logs of the application. At line 12 we receive an error
message "Error during search on LDAP: Connection timed out"

2013-11-05 15:03:30 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] found
entry for user FXXW045927:
uid=CRM-003M000000OB57tIAD,dc=CONTACTS,ou=CRM-001M000000S7ftwI
AB,dc=CUSTOMERS
2013-11-05 15:03:30 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
appel attemptAuthentication findUserDN en ms : 28
2013-11-05 15:03:30 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG]
attempting to authenticate user: FXXW045927
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
appel attemptAuthentication reconnect en ms : 134
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG]
authentication succeeded
2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] [RolePrincipal
[name=SEARCH], RolePrincipal [name=POST], RolePrincipal [name=PUSH]]
2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
UserPrincipal UserPrincipal [name=FXXW045927] to Subject
2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
RolePrincipal RolePrincipal [name=SEARCH] to Subject
2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
RolePrincipal RolePrincipal [name=POST] to Subject
2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
RolePrincipal RolePrincipal [name=PUSH] to Subject
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
Attributes for : (&(objectClass=aWUser)(uSERLOGIN=FXXW045927))
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
during search on LDAP: Connection timed out
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
during search on LDAP no information returned ctx :
{java.naming.security.credentials=****
******, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.protocol=ssl, java.naming.ldap.version=3,
com.sun.jndi.ldap.read.
timeout=10000,
java.naming.provider.url=ldap://10.29.170.34:636/dc=customers,
java.naming.factory.url.pkgs=org.apache.naming:org.apache.openejb.core.ivm.namin
g, java.naming.security.principal=cn=easy-tconnect,ou=admins,dc=system}
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
appel getInformation en ms : 1
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
Attributes for : ou=null
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
during search on LDAP: [LDAP: error code 32 - NDS error: no such entry
(-601)]
2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
appel getCompanyInformation en ms : 171
2013-11-05 15:03:31 c.w.t.e.b.s.i.PostFreightService [DEBUG] User :
UserTlr [login=FXXW045927, roles=[], privateExchange=null,
accessKind=null, interfacePIA=n
ull, company=null, test=false]Company : CompanyTlr [id=null, name =null,
companyId =null]


--
moularbi
------------------------------------------------------------------------
moularbi's Profile: https://forums.netiq.com/member.php?userid=1196
View this thread: https://forums.netiq.com/showthread.php?t=49141

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Timeout on ldap connection

On 11/06/2013 01:54 AM, moularbi wrote:
>
> The failure happens when we make a second search on other attributes
> (starting at line 189)


If I am understanding your logs (as well as the eDirectory logs) correctly
this is not true. The second search is searching based on the attributes
mentioned previously as shown on this line:

> 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
> Attributes for : (&(objectClass=aWUser)(uSERLOGIN=FXXW045927))


That an error is shown in your application is odd, but the eDirectory side
form your original post shows that eDirectory did not error or complain
about time limits, but instead sent the result back to the client:

Code:
--------------------
15:03:30 0 Event: LDAP Search (succeeded)
15:03:30 294B5700 LDAP: (160.92.24.120:36021)(0x0002:0x63) Sending search
result entry
"uid=CRM-003M000000OB57tIAD,dc=CONTACTS,ou=CRM-001M000000S7ftwIAB,dc=CUSTOMERS"
to connection 0x111a1180
15:03:30 0 Event: LDAP Search Entry Response (succeeded)
15:03:30 294B5700 LDAP: (160.92.24.120:36021)(0x0002:0x63) Sending
operation result 0:"":"" to connection 0x111a1180
15:03:30 0 Event: LDAP Search Response (succeeded)
15:03:30 41BDC700 LDAP: New TLS connection 0xfc6bc00 from
160.92.24.120:36022, monitor = 0x29bd2700, index = 14
15:03:30 0 Event: LDAP Connection (succeeded)
--------------------

The LDAP service (eDirectory) should return an error three (3) instead of
zero (0) if the timelimit is exceeded, but it does not. The only place
the connection timeout shows up is in the client, and so I assume there is
something amiss on the client side. As a note, this is the exact same
query run eight seconds earlier, which also returned in less than one
second. I've never seen an option on an LDAP client to code in a timeout
of less than one second, so even if it was set, I do not know how that
would be handled since it's really, really short. That the returns show
up so quickly indicates this is not likely an application (LDAP) layer
timeout.

> 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
> during search on LDAP: Connection timed out
> 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
> during search on LDAP no information returned ctx :
> {java.naming.security.credentials=****
> ******, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.security.protocol=ssl, java.naming.ldap.version=3,
> com.sun.jndi.ldap.read.
> timeout=10000,
> java.naming.provider.url=ldap://10.29.170.34:636/dc=customers,
> java.naming.factory.url.pkgs=org.apache.naming:org.apache.openejb.core.ivm.namin
> g, java.naming.security.principal=cn=easy-tconnect,ou=admins,dc=system}


This section of the client-side log is interesting because it shows the
'Connection timed out' error, which is not an LDAP error, but is a TCP
error, or at least that string/text is almost always associated with a TCP
timeout. In a plain old environment that would also seem to be invalid,
but I do not know anything about the networking at your site other than
your client and server are on different logical networks. As a result,
perhaps something in between the two systems is timing out the connection
after a certain interval.

> 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
> appel getInformation en ms : 1
> 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
> Attributes for : ou=null
> 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
> during search on LDAP: [LDAP: error code 32 - NDS error: no such entry
> (-601)]
> 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
> appel getCompanyInformation en ms : 171
> 2013-11-05 15:03:31 c.w.t.e.b.s.i.PostFreightService [DEBUG] User :
> UserTlr [login=FXXW045927, roles=[], privateExchange=null,
> accessKind=null, interfacePIA=n
> ull, company=null, test=false]Company : CompanyTlr [id=null, name =null,
> companyId =null]


Your client appears to also have some missing error handling causing some
bad searches here. If something goes wrong with the previous search that
search should be retried or this entire section of code should be
abandoned since it is not possible to base operation B on operation A's
results when operation A failed.

In summary, I think the problem is something else on your network killing
the TCP connection, or maybe some other quirk on the client or server side
causing time to be mis-represented. eDirectory, by default, does not
implement timeouts at the LDAP layer so verifying there are still none on
the LDAP Server object should be trivial using iManager, ConsoleOne, or
ldapconfig from the command line. After that I would try to find what is
happening on the wire by tracing the client and server sides
simultaneously, or at least get one from the client side if nothing else.
Specifically this tcpdump command would create a file that, if posted,
could be checked for anything odd. Since your connection is over TCP 636
there should not be any risk of seeing application (LDAP) data within the
trace:

Code:
--------------------
sudo /usr/sbin/tcpdump -n -s 0 -w /tmp/ldap0.cap -i any port 636
--------------------

After starting tcpdump above, do the test with the Java client and then
hit Ctrl+c in the terminal above when done. Send the resulting
/tmp/ldap0.cap file, or post it on an FTP server somewhere, or something.
Uploading to ftp://ftp.novell.com/incoming/ is also an option if you are
familiar with that approach.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Timeout on ldap connection

moularbi wrote:

> Currently, the application is being tested, here are the steps:
> 1.connection to eDirectory with a service account
> 2.search for a user: ldap filter contains object class and user uid, the
> search returns the dn
> 3.a bind is done with the retrieved dn
> 4.a search is done on some attributes
>
> The three first steps work all the time but for the fourth one an ldap
> connection timeout is returned sometimes.


Did you try to unbind/close connection/open new connection between steps 2 & 3?

--
______________________________________________________________________
http://www.is4it.de/en/solutions/identity-access-management

(If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below...)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.