My Oracle Support Banner

Oracle Access Manager 12c How To Update the LDAPReadTimeout Value To Avoid LDAP connection timeout issues "... LDAP response read timed out, timeout used:2000ms." (Doc ID 2476158.1)

Last updated on NOVEMBER 17, 2023

Applies to:

Oracle Access Manager - Version 12.2.1.3.0 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.


Goal

 

LDAP Read Timeout (LDAPReadTimeout) - Sometimes the LDAP server can become unresponsive, causing the thread/user to wait for a response or an error. To avoid waiting too long for an error when the server is not responding, Security Token Service sets a read timeout property on the LDAP connection. If the LDAP server does not respond before the read timeout period, an error is generated. Security Token Service closes the connection, open a new one and re-issue the LDAP command.
Back Ground

In OAM 11gr1 (OAM 11.1.1.3 BP05 and later) the default value was 1500ms. Starting with OAM 11gr2 it was changed to 2000ms.

If the backend LDAP server does not execute the OAM LDAP operation to authenticate the user within 2 seconds (Default out of box setting for 11g2ps2), the authentication fails.

The default value of 2000ms should ideally suffice.
If the OAM LDAP operations take more than 2000 ms, then this typically indicate a LDAP Directory performance problem and the LDAP server should be tuned.

However it is possible to configure the LdapReadTimeout for each OAM Identity Store by by changeing the default value manually in the oam-config.xml file

Related OAM 11g KM Notes

  • How to Update LDAP Response Read Timed out (Doc ID 2188915.1)
  • OAM 11g Login Error "An Incorrect Username or Password was Specified" Displayed Intermittently (Doc ID 1496120.1)
  • Using OAM 11.1.2.3.0 and OID 11.1.1.9.3: the SSO Login Failed with the Message: An incorrect Username or Password was specified (Doc ID 2384608.1)
  • OVD 11g: OAM Intermittently Fails with: OAMSSA-20012 An Incorrect Username or Password was Specified / OAM Log Shows: javax.naming.NamingException: LDAP response read timed out, timeout used:2000ms.; remaining name <user DN> (Doc ID 1614924.1)

 

With Oracle Access Manager (OAM) 12c the above no longer applies.

OAM 12c is hard coded for 2000ms (com.sun.jndi.ldap.read.timeout) and was not changeable until the fix provided from <Bug:27963081>

Some reported symptoms in 12c, supported by errors in log files related to LDAP connection timeout issues like,  LDAP response read timed out, timeout used:2000ms.

  • User Identity Store creation fails for LDAP servers with large dataset (large number of users). When creating a User Identity Store the "Test Connection" Fails with ...
<Error> <oracle.oam.user.identity.provider> <OAMSSA-20051> <Failure testing connection : LDAP response read timed out, timeout used: 20000 ms.>
  • Intermittent Authentications issues

This note will provide the steps on how to update the LDAP Response Read Timed out (LDAPReadTimeout) as it was called in OAM 11g for OAM 12c parameter called ORACLE_OAM_JNDILDAPREADTIMEOUT

 

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 With Oracle Access Manager (OAM) 12c the above no longer applies.
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.