We're running a Policy Server and we see intermittent authentication
delays. The smps.log reports :
[1436/8584][Thu Dec 12 2019
12:34:36][SmAuthUser.cpp:947][INFO][sm-log-00000] Execution time
exceeded threshold. (AuthenticateDsUser, 10265, 10000, agent=
client=10.0.0.1 server= resource=/myresource action=GET user=myuser)
[1436/8584][Thu Dec 12 2019
12:34:36][SmAuthDir.cpp:90][INFO][sm-log-00000] Execution time
exceeded threshold. (SmAuthenticate, 10265, 10000, agent=
client=10.0.0.1 server= resource=/myresource action=GET user=myuser)
How can we fix this ?
All Policy Server versions
The problem is that the LDAP server doesn't answer for 10 seconds, and
as such the Policy Server has to rebuild the connection to the LDAP
Server.
smtracedefault.log
This delay is due to the 10 seconds timeout for the ldap ping
request :
LDAPPingTimeout
Specifies the LDAP ping timeout value in seconds.
By default, this time period is 10 seconds even though the registry
key does not exist. To change the value, add the registry key and
configure a value.
DWORD Base_Location\Debug Seconds
Responses : Explaining SiteMinder/LDAP communication
Is there a concept of idle timeout for 'Bind'/any connections? where
is it controlled?
No policy server does not close the connection to the User Store
unless one of the following occurs:
- An LDAP request returns with a network error. The connections are
then re- initialized.
- The ping thread detects that an LDAP server in the same fail-over
group located before the current server is now available. For
example, if a user and a search connection to S2 were created and at
some point S1 becomes available, then the connections will be re-
initialized to S1.
- The ping thread detects that the server is unavailable. The
connections are then re- initialized.
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=715231
LDAP Stores :: Failover
Failover:
The Connection Manager maintains the status of the directory
instances using a dedicated "Ping Server threads". The Ping Server
thread periodically checks the health status of each directory every
30 seconds. It validates the connection by doing an ldap search as :
Search Filter is objectclass=*
With each search, the Ping Server thread waits a default maximum of
ten (10) seconds.
https://knowledge.broadcom.com/external/article?articleId=49848
Investigate the LDAP Store and the firewall to understand why LDAP
connections are initiated constantly and why occasionally LDAP is not
providing response during LDAP ping timeout period.