cancel
Showing results for 
Search instead for 
Did you mean: 

Sporadic problems accessing LDAP as Authentication Server

rdit_
Regular Contributor

Sporadic problems accessing LDAP as Authentication Server

Hey all,

 

I'm using 2-factor authentication via Token as first authentication server. For authorisation I use a LDAP as secondary Server. This works pretty well most of the time but 1 out 5 times I have to following problem.

 

Normally its like that:

  • User opens his login-site and signs in with username and pin+tokencode
  • Immediately after a click on "Login" the secondary's server login page appears, where he can fill in his domain user/password.
  • After providing this information hostchecker starts and session runs

But sporadically its like that:

  • User opens his login-site and signs in with username and pin+tokencode
  • Then it takes exactly the amount of time that is defined under the Auth Servers Connection Timeout (30 seconds)
  • So the site is loading for 30 seconds -> after those 30 seconds the secondary server login page appears
  • The user puts in his credentials and login goes on at normal speed

When I decrease the timeout to 10 seconds then it takes 10 seconds, so its exactly that timeout.

 

No I have no more ideas what could be causing that, I found out the following so far:

  • Its not a client-problem, happens on all clients
  • Its not a problem of a specific LDAP-Server, I swapped both in the configuration and also tested only single ones and it happens with both
  • Both Servers are reachable for sure
  • When I do a policy-trace it says "User Lookup failed to LDAP server ServerXYZ", but directly after that message (means after the timeout) it goes on and works.
  • The connection never really fails, so the user doesnt see any messages. Its just that it takes so long sometimes and I dont have an idea why - cause afterwards its definitely working.

Would be great if someone has advice!

 

 

 

3 REPLIES 3
zanyterp_
Respected Contributor

Re: Sporadic problems accessing LDAP as Authentication Server

When you do a tcp dump on the failure, what do you see in working vs non-workings?
Is there any replication mechanism to get this on failure?
zanyterp_
Respected Contributor

Re: Sporadic problems accessing LDAP as Authentication Server

Sorry; get the failure on-demand?
rdit_
Regular Contributor

Re: Sporadic problems accessing LDAP as Authentication Server

Sorry for the delay, I still couldnt find the reason for this. I made a workaround by decreasing the timeout value to 5 seconds. So after 5 seconds it works definitely. I still guess the reason most somewhere at the DNS Servers or maybe that one of them is not working properly and when the request reaches that one it failes.

 

To your questions: No I cannot replicate it on-demand. It just happens 1 out of 5 times or so.

The tcpdump didnt really help, I will make some further research when I find the time and let you know!

 

Thanks already!