cf login with external Lightweight Directory Access Protocol users experiences high latency in Tanzu Application Service for VMs
Article ID: 298214
Updated On:
Products
VMware Tanzu Application Service for VMs
Issue/Introduction
When Tanzu Application Service for VMs (TAS for VMs) is integrated with Lightweight Directory Access Protocol (LDAP) identity provider, there is change with "cf login" where LDAP users experience significant latency (2 minutes). For more information, refer to Configure LDAP as an Identity Provider for TAS for VM.
This latency could be caused by unresponsive referrals contained in the response from the LDAP server.
By default, the LDAP client in TAS UAA takes the strategy "follow", which means it automatically follows any referrals returned by the LDAP server. The referrals may contain URLs to LDAP servers other than the one configured for TAS UAA. Processing the unresponsive referrals is the source of latency.
For example, the following is sample log output from UAA showing such latency:
This latency could be caused by unresponsive referrals contained in the response from the LDAP server.
By default, the LDAP client in TAS UAA takes the strategy "follow", which means it automatically follows any referrals returned by the LDAP server. The referrals may contain URLs to LDAP servers other than the one configured for TAS UAA. Processing the unresponsive referrals is the source of latency.
For example, the following is sample log output from UAA showing such latency:
# LDAP authentication starts
[2021-08-27 03:06:43.812] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- ProviderManager: Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
[2021-08-27 03:06:43.895] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- SpringSecurityLdapTemplate: Searching for entry under DN '', base = 'dc=example,dc=com', filter = 'samaccountname={0}'
[2021-08-27 03:06:43.895] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- SpringSecurityLdapTemplate: Found DN: CN=ExampleCN,OU=Users,DC=Example,DC=Com
# the UAA tomcat thread https-jsse-nio-8443-exec-8 idles for 2m11s, then proceeds
[2021-08-27 03:08:54.622] uaa - 17 [https-jsse-nio-8443-exec-8] .... INFO --- SpringSecurityLdapTemplate: Ignoring PartialResultException
[2021-08-27 03:08:54.622] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- BindAuthenticator: Attempting to bind as cn=ExampleCN,ou=Users,dc=example,dc=comEnvironment
Product Version: 2.10
Resolution
The LDAP client in UAA can be configured to ignore referrals and return partial result. See all possible settings in the UAA release spec file. In the TAS tile, please make the configuration change via the following steps.
1. Navigate to the Ops Manager Installation Dashboard.
2. Click the TAS for VMs tile.
3. Select Authentication and Enterprise SSO.
4. For LDAP referrals, select Ignore referrals and return partial result.
5. Click Save. Make a selective Apply Changes for TAS for VMs.
If the above configuration change does not resolve the issue, please contact VMware Tanzu Support for further assistance.
1. Navigate to the Ops Manager Installation Dashboard.
2. Click the TAS for VMs tile.
3. Select Authentication and Enterprise SSO.
4. For LDAP referrals, select Ignore referrals and return partial result.
5. Click Save. Make a selective Apply Changes for TAS for VMs.
If the above configuration change does not resolve the issue, please contact VMware Tanzu Support for further assistance.
Feedback
Yes
No
Powered by
