Read_timeout setting for LDAP doesn't seem to change the read timeout

security

#1

I encountered a timeout with the LDAP server that I'm using when Shield is attempting to fetch the groups (the user lookup functions properly.) I attempted to increase the timeout to see if that would fix my issue, but it seems that the setting is being ignored (each time the error message says 5000ms, no matter what I attempt to configure it as.)

Here is the error that I'm seeing:
[2016-02-15 10:30:01,849][WARN ][shield.authc.ldap ] [Cecilia Reyes] authentication failed for user [xxx]: could not search for LDAP groups for DN [uid=aaaa,c=bb,ou=cccc,o=ddd]
cause: com.unboundid.ldap.sdk.LDAPSearchException: A client-side timeout was encountered while waiting 5000ms for a response to search request with message ID 1, base DN 'ou=eeee,ou=ffff,o=ddd', scope SUB, and
filter '(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(|(uniqueMember=uid=aaaa,c=bb,ou=cccc,o=ddd)(member=uid=aaaa,c=bb,ou=cccc,o=ddd)))' from server yyyy:636.

and here is the relevant section from my elasticsearch.yml file:
shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldaps://yyyy:636"
connect_timeout: 30s
read_timeout: 30s
user_search:
base_dn: "ou=cccc, o=ddd"
attribute: mail
pool:
health_check:
enabled: false
group_search:
base_dn: "ou=eeee,ou=ffff,o=ddd"
unmapped_groups_as_roles: false

I'm running ES 2.2.0 with the latest Shield plugin.

Thanks.


(Jay Modi) #2

I believe we may have the settings documented incorrectly. Can you try:

timeout.tcp_read instead of read_timeout and timeout.tcp_connect instead of connect_timeout.


#3

Thanks. Using those parameters appears to have eliminated that particular error message, although I'm now getting a
[2016-02-16 11:09:49,125][WARN ][shield.authc.ldap ] [Scrier] authentication failed for user [xxx]: could not search for LDAP groups for DN [uid=aaaa,c=bb,ou=cccc,o=ddd]
cause: com.unboundid.ldap.sdk.LDAPSearchException: time limit exceeded
, but I suspect that's coming from the server and not the client.


(Jay Modi) #4

We ask the server to restrict the length of ldap search requests by default to 5s. You should be able to specify timeout.ldap_search to control this behavior


(system) #5