Search Timeout and Connection Timeout for LDAP Authentication
This section is an update to the topic LDAP Authentication Resource Template in TIBCO ActiveMatrix Service Grid Administration Guide.
There are two timeout properties used in LDAP authentication login module:
- Connection Timeout: Used when making the initial connection or login to the LDAP server.
- Search Timeout: Used when searching the user on the LDAP server.
From these two timeout properties, only the Search Timeout property can be configured by using ActiveMatrix Administrator UI or CLI. The LDAP Authentication Resource Template only exposes the Search Timeout property to be set by the user and not the "Connection Timeout". Internally, it uses the value of the Search timeout for the Connection timeout property as well. But if the Search timeout is less than 90000 ms then the minimum Connection timeout value is set to 90000 ms.
The following logs indicate the "Connection timeout":
com.tibco.governance.agent. action.ActionException: Can't log in (erroneous configuration?): javax.naming.NamingException: LDAP response read timed out, timeout used:90000ms
If the user search fails because of the "Search timeout", the following error is displayed in the logs:
com.tibco.governance.agent.action.ActionException: Couldn't find user: javax.naming.NamingException [Root exception is javax.naming.NamingException: LDAP response read timed out, timeout used:10ms.; remaining name 'cn=a,ou=b,dc=c,dc=com'].
In the preceding logs, 10 ms is the Search Timeout value that you set from Administrator UI or CLI as displayed in the following image: