users@glassfish.java.net

Problem with performance of LDAP Security Realm in Glassfish V2

From: <glassfish_at_javadesktop.org>
Date: Tue, 25 Nov 2008 06:31:50 PST

I am working on an application that is deployed to Glassfish V2, JDK 6, that provides authentication via the out of the box com.sun.enterprise.security.auth.realm.ldap.ldapRealm module. It authenticates against an LDAP server over SSL (ldaps). I have configured all the Glassfish authentication realm settings correctly so the authentication is successful (ie Directory, BaseDN, JAASContext), SSL certs have been setup properly also. I also configured the 'search-filter' and 'group-search-filter' realm properties according the the LDAP server settings.


The issue that I am having with the application is that a successful authentication results in a delay of typically about 30 seconds before the initial authentication-restricted page is returned to the browser. If I switch the application to use a fileRealm instead, it is only 1-2 seconds. Also, if an incorrect login is submitted to the LDAP realm, the failed authentication message is returned much more quickly (about a second), and the app displays the login failure screen immediately. I am confused as to why there is such a long delay occurring when it appears that the LDAP authentication is not to blame for the slowness (at least a failure is returned quickly). Has anyone experienced a similar problems or have any suggestions to how I can troubleshoot what is going on?

I don't really know where to look beyond changing extra property settings (ie. 'search-filter' etc) that I found in a blog post to try to tune my settings. Is there additional documentation beyond the Administrator Guide for how to configure the ldapRealm? It does not really mention the optional property settings that I found online, that I have been able to find anyway. Is there something else that could be wrong in my configuration that would cause a delay? As I mentioned, there is no delay when a fileRealm is used instead.

Looking at the highest-level security module logs shows that Glassfish appears to reach the point where it locates the user DN, then pauses before returning successful login.

Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [<user>] into realm: <realm> using JAAS module: ldapRealm
Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule
search: baseDN: <baseDN> filter: uid=<user>
Found user DN: <DN>

------ pause ------

LDAP: Group memberships found:
LDAP: login succeeded for: <user>
JAAS login complete.
JAAS authentication committed.


Thanks for any advice!

Micah
[Message sent by forum member 'mwengren' (mwengren)]

http://forums.java.net/jive/thread.jspa?messageID=318646