Foros de discusión

  1. Inicio
  2. Portal
  3. Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20seconds

Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20seconds

nantien institute, modificado hace 9 años.

Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20seconds

New Member Mensajes: 4 Fecha de incorporación: 16/08/13 Mensajes recientes
Dear all.

I am doing Liferay 6.2 CE and LDAP integration. I hope users' screen name and password will be authenticated by LIferay, and when a user's attribute updated, it will be export to and update LDAP.

My problem is it takes very long time to authenticate by Liferay, Could you please help?? Based on my knowledge, When user try to login to liferay, liferay will contact LDAP to check this user's validity. The problem is it will take 20-30 seconds before it complete and it is not acceptable. Could anybody help??

My configurations are:

LDAP enabled;
Export enabled;
Use LDAP Password Policy;
the rest left left unchecked.

Authentication search filter=(cn=@screen_name@)
User mapping:

screen name = cn
Email address = userPrincipalName
password=unicodePwd
First Name=given name
Middle name=middlename
Last Name=sn
Job Title=title
Group=memberof




Thanks in advance
thumbnail
Christoph Rabel, modificado hace 9 años.

RE: Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20second

Liferay Legend Mensajes: 1554 Fecha de incorporación: 24/09/09 Mensajes recientes
Well, you need to measure which operation takes that long.

Does it make a difference if you uncheck "Use LDAP Password Policy"?

Set the loglevel of the following packages to debug, check logfiles:
com.liferay.portal.security.auth.LDAPAuth
com.liferay.portal.security.ldap.PortalLDAPUtil
(Control Panel -> Configuration -> Server Administration -> Log Levels)
(Note: These settings are reset automatically at server restart)

If you have entered the hostname of the ldap server (like ldap.mydomain.com), try the ip. Does it make a difference (Yes -> Maybe a DNS Problem?)
Does it make a difference if you do the same searches/updates from commandline using ldapsearch?

Check the logfiles of your directory server. Mine, for example, warns if there are unindexed searches or something like that.
nantien institute, modificado hace 9 años.

RE: Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20second

New Member Mensajes: 4 Fecha de incorporación: 16/08/13 Mensajes recientes
Hi Christoph,

Thanks for your reply. I already set that two logslevels. The following is from my log. this notification repeated 10 times. Can u see any problem?

"
01:23:25,114 DEBUG [http-bio-8080-exec-8][PortalLDAPUtil:41] -- listing properties --_java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory_java.naming.provider.url=ldaps://192.xxx.xxx.xxx:636_com.sun.jndi.ldap.connect.timeout=500_java.naming.security.principal=xxx\administrator_com.sun.jndi.ldap.connect.pool=true_java.naming.security.credentials=xxx_java.naming.referral=follow_com.sun.jndi.ldap.read.timeout=15000_ [Sanitized]
"
nantien institute, modificado hace 9 años.

RE: Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20second

New Member Mensajes: 4 Fecha de incorporación: 16/08/13 Mensajes recientes
5 seconds gap between two notifications

thanks
thumbnail
Christoph Rabel, modificado hace 9 años.

RE: Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20second

Liferay Legend Mensajes: 1554 Fecha de incorporación: 24/09/09 Mensajes recientes
Hmm, could you try (for testing purposes only, of course) to use ldap instead of ldaps?

If you are on linux, you could use tcpdump to get the actual packets, with ldap (not ldaps) you should see, how long the requests take.
Also, you could compare timestamps. I mean, ldap server logfile and liferay logfile. Maybe it gives you a hint where the time is lost.
nantien institute, modificado hace 9 años.

RE: Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20second

New Member Mensajes: 4 Fecha de incorporación: 16/08/13 Mensajes recientes
Hi Christoph Rabel,

I found the solution finally. The solution is

step1. in "Base Provider URL " give it ADDC's FQDN ( like: xxx.yourdomain.com) not IP address.
step2. double check your liferay server's DNS server to make sure that DNS server can Resolut your ADDC's FQDN

Thanks for your support
Amir Barkal, modificado hace 7 años.

RE: Liferay6.2CEGA2 integrate with LDAP- Authentication very slow -20second

New Member Mensajes: 14 Fecha de incorporación: 12/08/15 Mensajes recientes
nantien institute:
Hi Christoph Rabel,

I found the solution finally. The solution is

step1. in "Base Provider URL " give it ADDC's FQDN ( like: xxx.yourdomain.com) not IP address.
step2. double check your liferay server's DNS server to make sure that DNS server can Resolut your ADDC's FQDN

Thanks for your support


Changing from IP address to hostname + updating local hosts file actually helps a lot and makes the authentication process much faster than before. I would like to hear an explanation as to why this happens?
BTW the ldap server in question is accessed using LDAPS (TLS)