Questions
- What is the purpose of LDAPPingTimeout?
- How often does Policy server checks the availability of LDAP server ? Can the default interval be changed?
- Is there any default value for LDAPPingTimeout?
- What are the other implications of changing LDAPPingTimeout?
Answers
What is the purpose of LDAPPingTimeout?
During initialization of User Directory, a separate Ping Thread is created for each LDAP fail-over group. For each server in the group, the thread creates a ping connection and puts it in the ping connection list.
Periodically (the default period is 30 seconds) the Ping thread validates the connection status of all connections in the list.
The ping actually validates the connection by doing the following LDAP search:
Search is performed with a scope of 0 (base) and specify a single attribute to be returned (objectclass) for e.g.:
SRCH base="" scope=0 filter="(objectClass=*)" attrs="objectClass" and the result will be something like:
RESULT err=0 tag=101 nentries=1 etime=0
Now, the search time out for the above search request is controlled by a registry setting which is LDAPPingTimeout and is stored at :
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout
How often does Policy server checks the availability of LDAP server ? Can the default interval be changed?
The Ping thread validates the connection status of all connections in the list at a default interval of 30 seconds.
This can be configured by modifying the following registry under : HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug
LDAPServerCheckerInterval
Specifies how often (in seconds) the Policy Server polls the LDAP servers to retrieve the availability information.
Default: 30 sec (This value is also used when the registry setting does not exist.)
Is there any default value for LDAPPingTimeout?
The default value for LDAPPingTimeout is 10 seconds.
What are the other implications of changing LDAPPingTimeout?
Now, apart from controlling the search time out for LDAP Ping search, this setting also has effect on couple of other behavior with respect to LDAP connection that Policy server makes with User Directories
1) For LDAP PING search connection:
LDAP_X_OPT_CONNECT_TIMEOUT = LDAPPingTimeout * 1000 milliseconds.
PRLDAP_OPT_IO_MAX_TIMEOUT = LDAPPingTimeout * 1000 milliseconds.
Note:
LDAP_X_OPT_CONNECT_TIMEOUT is set on the per-session handle basis.
PRLDAP_OPT_IO_MAX_TIMEOUT is set as a global session option.
2) For LDAP Search Connection (LDAP connection for search and updates) and LDAP User Connection (LDAP connection for user authentication):
LDAP_X_OPT_CONNECT_TIMEOUT = LDAPPingTimeout * 1000 milliseconds.
PRLDAP_OPT_IO_MAX_TIMEOUT = 3 * LDAPPingTimeout * 1000 milliseconds.
Note: LDAP_X_OPT_CONNECT_TIMEOUT is set on the per-session handle basis.
PRLDAP_OPT_IO_MAX_TIMEOUT is set as a global session option.
LDAP_X_OPT_CONNECT_TIMEOUT
This setting allows you to control the TCP/IP timeout while establishing new LDAP connection e.g. during LDAP bind. Normally connection attempts will block for a period of time when the connection is for a host that is not reachable.LDAP_X_OPT_CONNECT_TIMEOUT allows you to control the amount of time for which a connection attempt will block in the event that the host is not reachable. You can tell the SDK to return immediately, return after an amount of time that you specify, or to block indefinitely.
PRLDAP_OPT_IO_MAX_TIMEOUT
The maximum time in milliseconds to block waiting for a network I/O operation to complete.
When flag PRLDAP_OPT_IO_MAX_TIMEOUT is set the function prldap_set_session_option is used and it stores the timeout in prsessp->prsess_io_max_timeout.
Later this timeout is retrieved every time LDAP SDk calls to poll() function
/* call PR_Poll() to do the real work */
rc = PR_Poll( pds, nfds,
prldap_timeout2it( timeout, prsessp->prsess_io_max_timeout ));