Novell Home

My Favorites

Close

Please to see your favorites.

LDAP bind operations hard coded to 15 secs depite the User strore timeout options being increased beyond that

This document (7012564) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Identity Server

Situation

Access Manager setup and working fine - users can access protected resources behind the Access Gateway after authenticating successfully to the Identity (IDP) server.

Customer then rolled out a custom Phone Factor authentication class that does the following:
- asks for username and pwssword which user submits
- back end app talks to a phone server and sends a token to the user - user submits token in response to challenge
- user successfulyl authenticated

At the moment, all works fine IF the user submits the token within 15 secs of the initial LDAP bind. If we take more than 15 secs, the IDP server issues an LDAP unbind request and the authentication fails. Increasing all LDAP timeouts in the IDP User store configuration makes no difference - anything greater than 15 seconds of a delay causes the authentication to fail.

The log file entries show the error:

<amLogEntry> 2012-12-12T07:39:19Z INFO NIDS Application: AM#500105014:
AMDEVICEID#DC31078D41009B18: AMAUTHID#3E98195B544527F25CF38DEAFFC3E2DA: 
Attempt
ing to authenticate user CN=ncashell,
ou=Users,dc=wpo,dc=com with provided credentials. </amLogEntry>

<amLogEntry> 2012-12-12T07:39:19Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-219.46.37.219-8443-Processor10
Connection: c703ee71-21a6-4129-a1c5-4d6ae408c78a, Environment Parameters for
InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldap://100.118.52.138
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: CN=ncashell,
ou=Users,dc=wpo,dc=com
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.referral, Value: follow
Key: java.naming.ldap.factory.socket, Value:
com.novell.nidp.common.util.net.client.NIDP_SocketFactory
 </amLogEntry>

// 15 secs later
<amLogEntry> 2012-12-12T07:39:34Z DEBUG NIDS Application: Method: JNDILogEventListener.accept Thread: http-219.46.37.219-8443-Processor10 NamingException: Connection: c703ee71-21a6-4129-a1c5-4d6ae408c78a, Attempting to create InitialDirContext for replica: x220230apss3003 </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z DEBUG NIDS Application: Method: JNDILogEventListener.accept Thread: http-209.46.37.219-8443-Processor10 Exception while attempting to create ldap connection! </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z VERBOSE NIDS Application: Authentication contract 'AAAW_PhoneFactor' failed in method 'Name/Password/PhoneFactor - Fo rm' for session 3E98195B544527F25CF38DEAFFC3E2DA. NIDPMAIN.1536CN=ncashell,ou=Users,dc=wpou,dc=com </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z WARNING NIDS Application: Event Id: 3014668, Target: AAAW_PhoneFactor, Note 1: 3E98195B544527F25CF38DEAFFC3E2DA, Note 2: NIDPMAIN.1536CN=WPONETKG,OU=Kaplan Inc,OU=TWPC Users,dc=wpouatusi,dc=com, Note 3: Name/Password/PhoneFactor - Form, Numeric 1: 0, Data: 10.216.0.76 </amLogEntry>

Resolution

Fixed in 3.2 SP2. The TCP timeout specified on IDP main configuration page will now apply to TCP connections used for the LDAP bind operation.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7012564
  • Creation Date:06-JUN-13
  • Modified Date:10-JUN-13
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback