Symantec Access Management

  • 1.  CA Directory idle timeout message to client

    Posted May 14, 2019 02:45 PM

    Hello,

     

    A question relating to CA Directory (R12.6 SP4), though I think in general.

    Would like to know if CA Directory sends a message to clients who possibly are on the other side of an idle connection when the directory closes that connection according to 'user-idle-timeout'.

     

    In my testing I do not see this in server and client tracing, so would just like a confirmation as to whether this is done or not. 

    (I also cannot find anything in directory standards that requires this.)

    There is 'LDAP_TIMELIMIT_EXCEEDED', but that is normally for operations, etc. that take longer than the server allows. This I have seen. But not in the case where an idle connection is closed by the directory server. (The client may not even be there anymore and just did not close the connection)

     

    Hope that is clear.

     

    thanks very much

    Rob



  • 2.  Re: CA Directory idle timeout message to client
    Best Answer

    Broadcom Employee
    Posted May 15, 2019 09:35 AM

    I am not aware of any message that is sent.  The user is disconnected but not notified.  This amount of time before time disconnect per the timeout is controlled by:

    https://support.ca.com/cadocs/0/CA%20Directory%2012%200%20SP14-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?administration.htm

     

    set user-idle-time Command

    The set user-idle-time command specifies the maximum time a user is idle before being disconnected. 

    When a user is idle for too long, that user is disconnected. This reduces the number of users connected and lets new users connect to the DSA.

    This command has the following format: 

    set user-idle-time = time;
    time

    Specifies the maximum idle time in seconds.



  • 3.  Re: CA Directory idle timeout message to client

    Broadcom Employee
    Posted May 15, 2019 09:50 AM

    Hi Rob,

     

    Scott is spot on. We (CA Directory DSA) do not send message to client application when a connection reaches user idle time value. What you will notice is that the WARN log of the DSA, reporting a timeout message.

     

    I just tested this by

    * setting 'set user-idle-time = 60;' via DXconsole of my test dsa (NOTE: Time is in seconds so that is 1 minute).

    * Connected to it via JXplorer LDAP browser as an 'anonymous' user.

    * Left it alone for 2+ minutes and checked the warn log, which showed:

     

    [12] 20190515.093943.009 WARN : Idle association 1 ( - ) timed out after 61 seconds

     

    As you can see, on 61st second that connection was dropped as 'Idle association' as the user-idle-time I had configured was 60 seconds.

     

     

    Hope this helps.

     

    Cheers,

    Hitesh



  • 4.  Re: CA Directory idle timeout message to client

    Posted May 15, 2019 10:07 AM

    Thanks Scott and Hitesh.

    Yes. That is what I find. I can also not find any directory standards, X.500 or LDAP, that requires such a message to be sent to the client.

    We are dealing with an application vendor that has problems with idle connections that the directory terminates and says that the directory must send a message to the client saying that the connection will be terminated, so they can deal with it. (i.e. the client always expects connections they've opened to be alive.)

     

    I've explained what I said in this query, but I needed this as 'paper' proof.

     

    Thanks very much

    Rob