All, We are currently experiencing an issue with LDAP read timeouts not corresponding with settings set in CAS. After analyzing TCP dumps of communication between our CAS & LDAP servers, it has been determined that our CAS implementation is not functioning as expected. Our CAS generated LDAP search requests are always timing out at 2s as opposed to any other value inserted for the "com.sun.jndi.ldap.read.timeout" attribute in our deployerConfigContext.xml
We originally thought this was an issue with our LDAP services, until we analyzed the TCP dump. Anyone have any ideas on why this is happening? For some background on this issue, please refer to the cas-user list thread "CAS LDAP time exceeded" (sorry, thread is not populated on nabble yet!) Running: CAS 3.4.2 w/ LDAP Password Policy Enforcement Module (3.4.2) (https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement) & custom modifications. As far as we can tell, we have made no modifications to CAS 3.4.2's "cas-server-support-ldap" module. Also, it does not seem that the "cas-server-support-ldap-pwd-expiration" module interferes with the module in relation to LDAP connectivity setup either. Our deployerConfigContext.xml: <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="pooled" value="false"/> <property name="urls"> <list> <value>ldap://XXXX.nau.edu</value> </list> </property> <property name="userDn" value="XXXX"/> <property name="password" value="XXXX"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> <entry> <key> <value>com.sun.jndi.ldap.connect.timeout</value> </key> <value>5000</value> </entry> <entry> <key> <value>com.sun.jndi.ldap.read.timeout</value> </key> <value>5000</value> </entry> </map> </property> </bean> A sample of the TCP dump is as follows (note the line containing "timeLimit" is where our issue exists) Frame 71 (152 bytes on wire, 152 bytes captured) Ethernet II, Src: Cisco_fe:1b:08 (CAS_SERVER_XXXX), Dst: Oracle_2b:cb:7e (LDAP_SERVER_XXXX) Internet Protocol, Src: XXXX (XXXX), Dst: XXXX (XXXX) Transmission Control Protocol, Src Port: XXXX (XXXX), Dst Port: XXXX (XXXX), Seq: 75, Ack: 15, Len: 98 Lightweight-Directory-Access-Protocol LDAPMessage searchRequest(2) "ou=XXXX,dc=nau,dc=edu" wholeSubtree messageID: 2 protocolOp: searchRequest (3) searchRequest baseObject: ou=XXXX,dc=nau,dc=edu scope: wholeSubtree (2) derefAliases: derefAlways (3) sizeLimit: 1000 timeLimit: 2 typesOnly: False Filter: (uid=XXXX) attributes: 1 item [Response In: 73] controls: 1 item Control controlType: 2.16.840.1.113730.3.4.2 (joint-iso-itu-t.16.840.1.113730.3.4.2) -- Raymond Walker Software Systems Engineer Sr. ITS Northern Arizona University -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
