Error: USER NOT FOUND SMAUTHREASON=48 SP LDAP User Search times out
search cancel

Error: USER NOT FOUND SMAUTHREASON=48 SP LDAP User Search times out

book

Article ID: 207328

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

 

In a Federation Partnership, Service Provider is receiving assertion and performs a search for the user for authentication.

But when the User Directory is responding slow (over 10 seconds, intermittently) then the users get to see HTTP 500 in the browser.

 

Cause

 

This is because the Federation Partnership (at the Service Provider side) user search for LDAP is controlled by the LDAPPingTimeout registry.

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout
  Default is 10 seconds (DWORD32).

As the user search timed out after 10 seconds, the user is not found and will display HTTP 500 for SMAUTHREASON 48.

smtracedefault.log with samlsp_profiler.template plus the LDAP components, the following message can be seen:

  [01/30/2021][00:01:50][1234][][SmDsLdapProvider.cpp:1906][CSmDsLdapProvider::SearchImpl][][][][][search filter is : (&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(customusername=user1))]

  ...
  ...
  
  [01/30/2021][00:02:00][1234][][SmDsLdapConnMgr.cpp:1201][][][][][][LogMessage:ERROR:[sm-Ldap-02230] Error# '85' during search: 'error: Timed out' Search Query = '(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(customusername=user1))' for server 'myldap:389']

 

Resolution

 

It is best to ensure the User Directory returns query results in less than a second.

Indexing should be the recommended way to resolve this so the query will be returned quicker. (Or rather use one of the indexed attributes).

The search query is hard coded so it cannot be reduced, as the function LookUpDirectoryEntry details show (1).

If indexing or using an indexed attribute is not possible, the last option may be to increase the LDAPPingTimeout by manually creating it in the registry and then restart the Policy Server.

Test with 15 seconds.

An enhancement has been raised to decouple the Federation Partnership user lookup timeout from the LDAPPingTimeout registry (2).

 

Additional Information

 

(1)

    Sm_PolicyApi_LookupDirectoryEntry()
    

(2)

    [SiteMinder] Federation Partnership SP side LDAP User Search timeout
    

Powered by Wolken Software