Hello
I am using Keycloak User Federation to synchronise users with LDAP (read and write).
On my LDAP server I have more then 10.000 users, distributed in hierarchical structure. To achieve tenant isolation I adopted ACL rules with regex on organization.
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.regex="ou=People,o=([^,]+),dc=company,dc=com$"
by dn.regex="^uid=ROUSER,ou=admin,o=$1,dc=company,dc=com$$" read
by dn.regex="^uid=RWUSER,ou=admin,o=$1,dc=company,dc=com$$" write
I found that in this situation my ldapsearch sometimes takes more than 10 seconds
and on LDAP server log I see that a lot of ABANDON operations are performed.
On Keycloak I can see on log the follow exceptions:
Caused by: javax.naming.InterruptedNamingException: Interrupted during LDAP operation; remaining name 'ou=People,o=department,dc=company,dc=com'
at java.naming/com.sun.jndi.ldap.Connection.readReply(Connection.java:445)
at java.naming/com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:639)
at java.naming/com.sun.jndi.ldap.LdapClient.search(LdapClient.java:562)
at java.naming/com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:256)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$3.execute(LDAPOperationManager.java:253)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:731)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:711)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:706)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:253)
at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:279)
... 74 more
I also tried to set Connection/Read timeout in the LDAP federation settings as screenshot
but it does not seem to affect the ldap search timeout since after few seconds anyway the search is ABANDONED
Is there any way to configure Keycloak to have a longer timeout for ldapsearch ?