LDAP authentication problems Webclient

Post any question you may have in regards to GoAnywhere Services and let our talented support staff and other users assist you.
13 posts Page 1 of 2

Joerg

Posts: 32
Joined: Wed Dec 19, 2012 9:57 am

Post by Joerg » Thu May 08, 2014 9:00 am
Hi,

First problem
sometimes (not always) we have a problem with the login of ldap users. I do not know whether that is caused by GA Services or our LDAP server system.
So I ask here :-)

If some user login the timeout error "UnexpectedLoginException: LDAPSearchException(resultCode=85 (timeout)" appears (with a long waiting time) - Not always but 40% of all logins.
If repeat the login or cancel waiting time and then repeat (refresh) login it works immediately. Also test login at ldap configuration works all the time.
Any idea?

Second problem
We have a synchronization tool for our windows clients where the "My documents" folder is automaticly mirrored and synchronized to an shared server folder.
The left side of the web clients java applet need 2 min to show the folder tree. Any idea for reasons? Or is there a possibility to change or save the start folder for the enhanced java applet?

Thank you in advance
regards
Joerg

Support_Rick

Support Specialist
Posts: 590
Joined: Tue Jul 17, 2012 2:12 pm
Location: Phoenix, AZ

Post by Support_Rick » Mon May 12, 2014 8:38 am
Joerg,

Some Questions about your 2 problems...

First Problem:

What type of LDAP Server is it? Do you have the ability to monitor the load on your LDAP Server? What is the network configuration of the LDAP Server in relation to the GoAnywhere Services Server? If you restart GoAnywhere Services, does this occur right away or does it occur after some time being active? Can you send us the exception from the log file? Also, can we get the configuration values of your LDAP Login Method?

Different LDAP Servers have different settings as far as Max Connections, Max Active Queries, Max Connection idle time, etc...

If we can get this information, we can further research your first problem and help you find a solution for this.

Second Problem:

How many files/folders exist in the "My Documents" folder? If this folder has many files and folders then it will take longer to load within the applet.
Rick Elliott
Lead Solutions Consultant
(402) 944.4242
(800) 949-4696

Joerg

Posts: 32
Joined: Wed Dec 19, 2012 9:57 am

Post by Joerg » Mon Jun 23, 2014 6:54 am
Hi Rick,

I had to collect some information about the problem and it is not so easy, because the LDAP server are far away and managed by other departments of our big firma...

But first - in this moment I tried to login into webclient and got the timeout error. Then I make only a browser refresh and I'm in my user area without login again!
Second - the problem seems to occur if the user use the lower case user name. Not always but almost always.

Here some technical informations:

LDAP server: sun server with solaris 10 sparc, soft Sun Directory Server 11.1.1.3.0 ,

I have not the ability to monitor the load on our LDAP Server but the guys from the operation service check the logs and can't find this failed login connections. The LDAP server is within our local network. We have try x times of telnet connections between the machines without any network problems.

I attached the log (only login) from june. So you can see the issues. I'll attache some LDAP config screen shots too. A restart eamination is not possible - it is a production platform and the change management wouldn't agree to restart GA :-) again and again

So I hope we found this little bug elsewhere..

Joerg
Attachments
ScreenShots.zip
(105.84 KiB) Downloaded 939 times

HTTPSAuditLog20140623.csv
HTTPS login logs
(12.18 KiB) Downloaded 830 times

Joerg

Posts: 32
Joined: Wed Dec 19, 2012 9:57 am

Post by Joerg » Wed Jun 25, 2014 3:48 am
Hi,

I've tested some accounts again and the suspicion is more and more probable that it has to do with case-sensitive login user string.

The error occurs only if the user login is in lower case letters. It is repeatable but....not always.
Maybe the browser cache plays a role or...don't know.

Joerg

Support_Rick

Support Specialist
Posts: 590
Joined: Tue Jul 17, 2012 2:12 pm
Location: Phoenix, AZ

Post by Support_Rick » Wed Jul 02, 2014 8:19 am
Joerg,

After reviewing, the first question that comes up is how many Person Entries do you have under the o=WIW base DN? If this contains numerous entries (even disabled ones) this might tend to lean more toward a more refined definition for identifying the Persons that need authenticated.
Rick Elliott
Lead Solutions Consultant
(402) 944.4242
(800) 949-4696

Joerg

Posts: 32
Joined: Wed Dec 19, 2012 9:57 am

Post by Joerg » Fri Jul 04, 2014 7:05 am
Hi Rick,

I don't know the exact number yet, but 30.000 or 40.000 entries are possible. To reduce the browsed entries or filter we need additional attributes, right? That is going to be difficult, because the user are a bunch of different people. But we will see, I've contacted some colleagues.

Nice weekeend
Joerg

Joerg

Posts: 32
Joined: Wed Dec 19, 2012 9:57 am

Post by Joerg » Fri Jul 11, 2014 4:19 am
Hi,

I've no good news. I've put a second entry in the DN field (the tip I've got from one of the LDAP guys). Yesterday we've upgraded to the newest GA versions.

But nothing helps. Each time I test it and, if I think it works well. the error occurs.

Sometimes the user logins work without problems, sometime not - without unforeseeable reasons.

I'll check the new websso possibilities, but it is unsatisfactorily... Have you any other idea?

Joerg

Support_CJ

Posts: 1
Joined: Thu May 08, 2014 1:34 pm

Post by Support_CJ » Sat Jul 12, 2014 5:10 pm
Question? is the Base DN value your using truly at the top of the directory tree? Typically the top of the directory tree is something like "dc=sitename,dc=com". I would like to see if you fully qualify the Base DN value if the timeouts don't occur. If you type in the exact Distinguished Name(DN) of the organization example "o=org,dc=sitename,dc=com".

Thanks and Have a good day!
CJ

Joerg

Posts: 32
Joined: Wed Dec 19, 2012 9:57 am

Post by Joerg » Wed Sep 10, 2014 3:38 am
Hi,

after my vacation the old problems are back.

No, the LDAP guys told me, that there are no dc params for our LDAP directory.

regards Joerg

Jonathan

Posts: 18
Joined: Wed Jan 02, 2013 5:27 am
Location: Mapledurham, UK

Post by Jonathan » Wed Sep 10, 2014 8:59 am
Hi Joerg,

If I am looking at the CSV you provided and the images correctly the authentications that return the timeout are all taking over 300,000ms to complete. The Read Timeout in your LDAP settings is set to 300, Have you tried to increase this to see if it improves or if it has the same issue.

Regards,
Jonathan
13 posts Page 1 of 2