Home

Results 1 to 5 of 5

Thread: Timeout on ldap connection

Hybrid View

  1. #1
    moularbi NNTP User

    Timeout on ldap connection


    Hello,

    We have an application that coonnects to eDirectory to authenticate
    users and retrieve some information about user.

    Currently, the application is being tested, here are the steps:
    1.connection to eDirectory with a service account
    2.search for a user: ldap filter contains object class and user uid, the
    search returns the dn
    3.a bind is done with the retrieved dn
    4.a search is done on some attributes

    The three first steps work all the time but for the fourth one an ldap
    connection timeout is returned sometimes.

    Here are the logs from iMonitor, problem occurs at 15:03:30:

    http://pastebin.com/5A63rN3j


    --
    moularbi
    ------------------------------------------------------------------------
    moularbi's Profile: https://forums.netiq.com/member.php?userid=1196
    View this thread: https://forums.netiq.com/showthread.php?t=49141


  2. #2
    ab NNTP User

    Re: Timeout on ldap connection

    It would help if you could post a trace of a failure. This one does not
    seem to have any problems.

    The query at 15:03:30 is searching based on the objectClass and uSERLOGIN
    attributes so ensuring this server has a value index for each attribute
    may help in case the query ever runs long. The query request, though,
    does not define a timeout limit so I do not see any reason that it would
    timeout. If there is a timeout, it is possibly coming from the server
    configuration, which you can modify on the LDAP Server (or maybe LDAP
    Group) object.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    moularbi NNTP User

    Re: Timeout on ldap connection


    The failure happens when we make a second search on other attributes
    (starting at line 189)

    Here are the logs of the application. At line 12 we receive an error
    message "Error during search on LDAP: Connection timed out"

    2013-11-05 15:03:30 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] found
    entry for user FXXW045927:
    uid=CRM-003M000000OB57tIAD,dc=CONTACTS,ou=CRM-001M000000S7ftwI
    AB,dc=CUSTOMERS
    2013-11-05 15:03:30 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
    appel attemptAuthentication findUserDN en ms : 28
    2013-11-05 15:03:30 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG]
    attempting to authenticate user: FXXW045927
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
    appel attemptAuthentication reconnect en ms : 134
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG]
    authentication succeeded
    2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] [RolePrincipal
    [name=SEARCH], RolePrincipal [name=POST], RolePrincipal [name=PUSH]]
    2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
    UserPrincipal UserPrincipal [name=FXXW045927] to Subject
    2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
    RolePrincipal RolePrincipal [name=SEARCH] to Subject
    2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
    RolePrincipal RolePrincipal [name=POST] to Subject
    2013-11-05 15:03:31 c.w.t.e.a.a.WKTSLoginModule [DEBUG] added
    RolePrincipal RolePrincipal [name=PUSH] to Subject
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
    Attributes for : (&(objectClass=aWUser)(uSERLOGIN=FXXW045927))
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
    during search on LDAP: Connection timed out
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
    during search on LDAP no information returned ctx :
    {java.naming.security.credentials=****
    ******, java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory,
    java.naming.security.protocol=ssl, java.naming.ldap.version=3,
    com.sun.jndi.ldap.read.
    timeout=10000,
    java.naming.provider.url=ldap://10.29.170.34:636/dc=customers,
    java.naming.factory.url.pkgs=org.apache.namingrg.apache.openejb.core.ivm.namin
    g, java.naming.security.principal=cn=easy-tconnect,ou=admins,dc=system}
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
    appel getInformation en ms : 1
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
    Attributes for : ou=null
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
    during search on LDAP: [LDAP: error code 32 - NDS error: no such entry
    (-601)]
    2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
    appel getCompanyInformation en ms : 171
    2013-11-05 15:03:31 c.w.t.e.b.s.i.PostFreightService [DEBUG] User :
    UserTlr [login=FXXW045927, roles=[], privateExchange=null,
    accessKind=null, interfacePIA=n
    ull, company=null, test=false]Company : CompanyTlr [id=null, name =null,
    companyId =null]


    --
    moularbi
    ------------------------------------------------------------------------
    moularbi's Profile: https://forums.netiq.com/member.php?userid=1196
    View this thread: https://forums.netiq.com/showthread.php?t=49141


  4. #4
    ab NNTP User

    Re: Timeout on ldap connection

    On 11/06/2013 01:54 AM, moularbi wrote:
    >
    > The failure happens when we make a second search on other attributes
    > (starting at line 189)


    If I am understanding your logs (as well as the eDirectory logs) correctly
    this is not true. The second search is searching based on the attributes
    mentioned previously as shown on this line:

    > 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
    > Attributes for : (&(objectClass=aWUser)(uSERLOGIN=FXXW045927))


    That an error is shown in your application is odd, but the eDirectory side
    form your original post shows that eDirectory did not error or complain
    about time limits, but instead sent the result back to the client:

    Code:
    --------------------
    15:03:30 0 Event: LDAP Search (succeeded)
    15:03:30 294B5700 LDAP: (160.92.24.120:36021)(0x0002:0x63) Sending search
    result entry
    "uid=CRM-003M000000OB57tIAD,dc=CONTACTS,ou=CRM-001M000000S7ftwIAB,dc=CUSTOMERS"
    to connection 0x111a1180
    15:03:30 0 Event: LDAP Search Entry Response (succeeded)
    15:03:30 294B5700 LDAP: (160.92.24.120:36021)(0x0002:0x63) Sending
    operation result 0:"":"" to connection 0x111a1180
    15:03:30 0 Event: LDAP Search Response (succeeded)
    15:03:30 41BDC700 LDAP: New TLS connection 0xfc6bc00 from
    160.92.24.120:36022, monitor = 0x29bd2700, index = 14
    15:03:30 0 Event: LDAP Connection (succeeded)
    --------------------

    The LDAP service (eDirectory) should return an error three (3) instead of
    zero (0) if the timelimit is exceeded, but it does not. The only place
    the connection timeout shows up is in the client, and so I assume there is
    something amiss on the client side. As a note, this is the exact same
    query run eight seconds earlier, which also returned in less than one
    second. I've never seen an option on an LDAP client to code in a timeout
    of less than one second, so even if it was set, I do not know how that
    would be handled since it's really, really short. That the returns show
    up so quickly indicates this is not likely an application (LDAP) layer
    timeout.

    > 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
    > during search on LDAP: Connection timed out
    > 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
    > during search on LDAP no information returned ctx :
    > {java.naming.security.credentials=****
    > ******, java.naming.factory.initial=com.sun.jndi.ldap.Ldap CtxFactory,
    > java.naming.security.protocol=ssl, java.naming.ldap.version=3,
    > com.sun.jndi.ldap.read.
    > timeout=10000,
    > java.naming.provider.url=ldap://10.29.170.34:636/dc=customers,
    > java.naming.factory.url.pkgs=org.apache.namingrg.apache.openejb.core.ivm.namin
    > g, java.naming.security.principal=cn=easy-tconnect,ou=admins,dc=system}


    This section of the client-side log is interesting because it shows the
    'Connection timed out' error, which is not an LDAP error, but is a TCP
    error, or at least that string/text is almost always associated with a TCP
    timeout. In a plain old environment that would also seem to be invalid,
    but I do not know anything about the networking at your site other than
    your client and server are on different logical networks. As a result,
    perhaps something in between the two systems is timing out the connection
    after a certain interval.

    > 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
    > appel getInformation en ms : 1
    > 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [DEBUG] Search
    > Attributes for : ou=null
    > 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [ERROR] Error
    > during search on LDAP: [LDAP: error code 32 - NDS error: no such entry
    > (-601)]
    > 2013-11-05 15:03:31 c.w.t.e.a.a.l.LdapAccessManagement [INFO] temps d
    > appel getCompanyInformation en ms : 171
    > 2013-11-05 15:03:31 c.w.t.e.b.s.i.PostFreightService [DEBUG] User :
    > UserTlr [login=FXXW045927, roles=[], privateExchange=null,
    > accessKind=null, interfacePIA=n
    > ull, company=null, test=false]Company : CompanyTlr [id=null, name =null,
    > companyId =null]


    Your client appears to also have some missing error handling causing some
    bad searches here. If something goes wrong with the previous search that
    search should be retried or this entire section of code should be
    abandoned since it is not possible to base operation B on operation A's
    results when operation A failed.

    In summary, I think the problem is something else on your network killing
    the TCP connection, or maybe some other quirk on the client or server side
    causing time to be mis-represented. eDirectory, by default, does not
    implement timeouts at the LDAP layer so verifying there are still none on
    the LDAP Server object should be trivial using iManager, ConsoleOne, or
    ldapconfig from the command line. After that I would try to find what is
    happening on the wire by tracing the client and server sides
    simultaneously, or at least get one from the client side if nothing else.
    Specifically this tcpdump command would create a file that, if posted,
    could be checked for anything odd. Since your connection is over TCP 636
    there should not be any risk of seeing application (LDAP) data within the
    trace:

    Code:
    --------------------
    sudo /usr/sbin/tcpdump -n -s 0 -w /tmp/ldap0.cap -i any port 636
    --------------------

    After starting tcpdump above, do the test with the Java client and then
    hit Ctrl+c in the terminal above when done. Send the resulting
    /tmp/ldap0.cap file, or post it on an FTP server somewhere, or something.
    Uploading to ftp://ftp.novell.com/incoming/ is also an option if you are
    familiar with that approach.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  5. #5

    Re: Timeout on ldap connection

    moularbi wrote:

    > Currently, the application is being tested, here are the steps:
    > 1.connection to eDirectory with a service account
    > 2.search for a user: ldap filter contains object class and user uid, the
    > search returns the dn
    > 3.a bind is done with the retrieved dn
    > 4.a search is done on some attributes
    >
    > The three first steps work all the time but for the fourth one an ldap
    > connection timeout is returned sometimes.


    Did you try to unbind/close connection/open new connection between steps 2 & 3?

    --
    __________________________________________________ ____________________
    http://www.is4it.de/en/solutions/ide...ess-management

    (If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below...)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •