My Oracle Support Banner

Oracle Access Manager 12c PS3 (OAM 12.2.1.3) How To Update the LDAPReadTimeout Value (Doc ID 2476158.1)

Last updated on FEBRUARY 04, 2020

Applies to:

Oracle Access Manager - Version 12.2.1.3.0 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.

Goal

LDAP Read Timeout (LDAPReadTimeout) - Sometimes the LDAP server can become unresponsive, causing the thread/user to wait for a response or an error. To avoid waiting too long for an error when the server is not responding, Security Token Service sets a read timeout property on the LDAP connection. If the LDAP server does not respond before the read timeout period, an error is generated. Security Token Service closes the connection, open a new one and re-issue the LDAP command.

Back Ground
In OAM 11gr1 (OAM 11.1.1.3 BP05 and later) the default value was 1500ms. Starting with OAM 11gr2 it was changed to 2000ms.

If the backend LDAP server does not execute the OAM LDAP operation to authenticate the user within 2 seconds (Default out of box setting for 11g2ps2), the authentication fails.

The default value of 2000ms should ideally suffice.
If the OAM LDAP operations take more than 2000 ms, then this typically indicate a LDAP Directory performance problem and the LDAP server should be tuned.

However it is possible to configure the LdapReadTimeout for each OAM Identity Store by by changeing the default value manually in the oam-config.xml file

With OAM 12c (12.2.1.3.x) the above no longer applies.

OAM 12c is hard coded for 2000ms (com.sun.jndi.ldap.read.timeout) and was not changeable until the fix provided from <Bug:27963081>

Some reported symptoms in 12, supported by errors in log files related to LDAP connection timeout issues like,  LDAP response read timed out, timeout used:2000ms.

  • User Identity Store creation fails for LDAP servers with large dataset (large number of users)
  • Intermittent Authentications issues

This note will provide the steps on how to update the LDAP Response Read Timed out (LDAPReadTimeout) as it was called in OAM 11g for OAM 12c parameter called ORACLE_OAM_JNDILDAPREADTIMEOUT

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 With OAM 12c (12.2.1.3.x) the above no longer applies.
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.