Causes for instant Timelimit error when accessing AD via java

Question

I am trying to chase down a problem with CAS that is causing the following exception to be thrown:

javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name ''
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3097)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
        at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
        at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
        at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:295)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:361)...

The error is returned virtually instantly. The client side timeout is set to 10 seconds, but that isn't occuring as, based on looking through the com.sun.jndi.ldap code, it appears that the domain controller is returning a response with a status of 3, indicating a time limit exceeded.

We are hitting an Active Directory global catalog, and our filter and base are pretty broad: base = '', filter = (proxyAddresses=*:someone@somewhere.com) However, the query succeeds sometimes, but returns an immediate status code 3.

Does anyone know what might be causing this kind of behavior? Or perhaps how to go about determining what exactly is occurring?

Answer 1

Turns out our search filter was too broad.

As you can see, we were using a wildcard in the filter, and the query took a little less than 2 seconds.

However, 2 seconds is far shorter than the Active Directory configured time limit so I couldn't figure out why the error was occurring immediately (not even taking 2 seconds when it failed).

I assume AD must have been accruing the time taken by multiple requests from the same account, and at some point began returning the time limit exceeded error.

To solve it, we modified the search filter so that it no longer included a wildcard. The search then runs almost instantaneously, and the time limit exceeded no longer occurs.