This article addresses the following questions regarding LDAPPingTimeout

• What is the purpose of LDAPPingTimeout?
• Is there any default value for LDAPPingTimeout?
• What are the other implications of changing LDAPPingTimeout?

CA SiteMinder up to current supported version (12.8.8)

During initialization of User Directory, a separate Ping Thread is created for each LDAP fail-over group. For each server in the group, the thread creates a ping connection and puts it in the ping connection list.

Periodically (the default period is 30 seconds) the Ping thread validates the connection status of all connections in the list.

The ping actually validates the connection by doing the following LDAP search:

Search is performed with a scope of 0 (base) and specify a single attribute to be returned (objectclass) for e.g.:

SRCH base="" scope=0 filter="(objectClass=*)" attrs="objectClass" and the result will be something like:

RESULT err=0 tag=101 nentries=1 etime=0

Now, the search time out for the above search request is controlled by a registry setting which is LDAPPingTimeout and is stored at :

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout

The default value for LDAPPingTimeout is 10 seconds.

Now, apart from controlling the search time out for LDAP Ping search, this setting also has effect on couple of other behavior with respect to LDAP connection that Policy server makes with User Directories

1) For LDAP PING search connection:

LDAP_X_OPT_CONNECT_TIMEOUT = LDAPPingTimeout * 1000 milliseconds.

PRLDAP_OPT_IO_MAX_TIMEOUT  = LDAPPingTimeout * 1000 milliseconds.

Note:

LDAP_X_OPT_CONNECT_TIMEOUT is set on the per-session handle basis.

PRLDAP_OPT_IO_MAX_TIMEOUT is set as a global session option.

2) For LDAP Search Connection (LDAP connection for search and updates) and LDAP User Connection (LDAP connection for user authentication):

LDAP_X_OPT_CONNECT_TIMEOUT = LDAPPingTimeout * 1000 milliseconds.

PRLDAP_OPT_IO_MAX_TIMEOUT = 3 * LDAPPingTimeout * 1000 milliseconds.

Note: LDAP_X_OPT_CONNECT_TIMEOUT is set on the per-session handle basis.

PRLDAP_OPT_IO_MAX_TIMEOUT is set as a global session option.

LDAP_X_OPT_CONNECT_TIMEOUT

This setting allows you to control the TCP/IP timeout while establishing new LDAP connection e.g. during LDAP bind. Normally connection attempts will block for a period of time when the connection is for a host that is not reachable.LDAP_X_OPT_CONNECT_TIMEOUT allows you to control the amount of time for which a connection attempt will block in the event that the host is not reachable. You can tell the SDK to return immediately, return after an amount of time that you specify, or to block indefinitely.

PRLDAP_OPT_IO_MAX_TIMEOUT

The maximum time in milliseconds to block waiting for a network I/O operation to complete.

When flag PRLDAP_OPT_IO_MAX_TIMEOUT is set the function prldap_set_session_option is used and it stores the timeout in prsessp->prsess_io_max_timeout.

Later this timeout is retrieved every time LDAP SDk calls to poll() function

/* call PR_Poll() to do the real work */

rc = PR_Poll( pds, nfds,

prldap_timeout2it( timeout, prsessp->prsess_io_max_timeout ));