LDAP bind operations hard coded to 15 secs depite the User strore timeout options being increased beyond that

  • 7012564
  • 06-Jun-2013
  • 10-Jun-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Identity Server

Situation

Access Manager setup and working fine - users can access protected resources behind the Access Gateway after authenticating successfully to the Identity (IDP) server.

Customer then rolled out a custom Phone Factor authentication class that does the following:
- asks for username and pwssword which user submits
- back end app talks to a phone server and sends a token to the user - user submits token in response to challenge
- user successfulyl authenticated

At the moment, all works fine IF the user submits the token within 15 secs of the initial LDAP bind. If we take more than 15 secs, the IDP server issues an LDAP unbind request and the authentication fails. Increasing all LDAP timeouts in the IDP User store configuration makes no difference - anything greater than 15 seconds of a delay causes the authentication to fail.

The log file entries show the error:

<amLogEntry> 2012-12-12T07:39:19Z INFO NIDS Application: AM#500105014:
AMDEVICEID#DC31078D41009B18: AMAUTHID#3E98195B544527F25CF38DEAFFC3E2DA: 
Attempt
ing to authenticate user CN=ncashell,
ou=Users,dc=wpo,dc=com with provided credentials. </amLogEntry>

<amLogEntry> 2012-12-12T07:39:19Z DEBUG NIDS Application:
Method: JNDILogEventListener.accept
Thread: http-219.46.37.219-8443-Processor10
Connection: c703ee71-21a6-4129-a1c5-4d6ae408c78a, Environment Parameters for
InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldap://100.118.52.138
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: CN=ncashell,
ou=Users,dc=wpo,dc=com
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.referral, Value: follow
Key: java.naming.ldap.factory.socket, Value:
com.novell.nidp.common.util.net.client.NIDP_SocketFactory
 </amLogEntry>

// 15 secs later
<amLogEntry> 2012-12-12T07:39:34Z DEBUG NIDS Application: Method: JNDILogEventListener.accept Thread: http-219.46.37.219-8443-Processor10 NamingException: Connection: c703ee71-21a6-4129-a1c5-4d6ae408c78a, Attempting to create InitialDirContext for replica: x220230apss3003 </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z DEBUG NIDS Application: Method: JNDILogEventListener.accept Thread: http-209.46.37.219-8443-Processor10 Exception while attempting to create ldap connection! </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z VERBOSE NIDS Application: Authentication contract 'AAAW_PhoneFactor' failed in method 'Name/Password/PhoneFactor - Fo rm' for session 3E98195B544527F25CF38DEAFFC3E2DA. NIDPMAIN.1536CN=ncashell,ou=Users,dc=wpou,dc=com </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z WARNING NIDS Application: Event Id: 3014668, Target: AAAW_PhoneFactor, Note 1: 3E98195B544527F25CF38DEAFFC3E2DA, Note 2: NIDPMAIN.1536CN=WPONETKG,OU=Kaplan Inc,OU=TWPC Users,dc=wpouatusi,dc=com, Note 3: Name/Password/PhoneFactor - Form, Numeric 1: 0, Data: 10.216.0.76 </amLogEntry>

Resolution

Fixed in 3.2 SP2. The TCP timeout specified on IDP main configuration page will now apply to TCP connections used for the LDAP bind operation.