LDAP timeout error | AEM Oak
You have configured LDAP authentication via AEM 1 and it is failing to allow LDAP users to log in. You see the log message below:
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: TimeOut occurred``at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4106)``at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1290)``at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1188)``at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:127)``at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:112)``at org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory.bindConnection(DefaultLdapConnectionFactory.java:64)``at org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory.newLdapConnection(DefaultLdapConnectionFactory.java:107)``at org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:133)``at org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:59)``at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188)``at org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:123)``at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:771)``... 57 common frames omitted
The timeout error usually indicates that the LDAP server is either unreachable by AEM due to a firewall, unreachable (network issue), it is down, or unresponsive.
To fix the issue, you need to debug the connection from AEM to the LDAP server. Here are some things to check:
- Check that the LDAP server is accessible from other machines than the AEM server using an LDAP browser such as JXplorer. If it is not accessible, then it might be down or there could be a network or firewall issue. Contact your network operations team and the team that manages your LDAP servers to investigate.
- If the LDAP server is accessible from other machines then test from the AEM server OS. Install an LDAP client on the AEM server OS and try to access the ldap server from there. On Linux, you can use the ldapsearch command. On Windows, use JXplorer.
- If the server can reach the LDAP server, but AEM LDAP-based login is failing then we need to check the “LDAP Identity Provider” configuration. Log in to the OSGi Web Console (http://aem-host:port/system/console/configMgr) and search for “Apache Jackrabbit Oak LDAP Identity Provider”. Some things you can try that might solve the issue:
- Fine tune the “User base DN”, “User extra filter”, “Group base DN”, and “Group extra filter” to make the search filter only return relevant users and groups to AEM.
- Make sure the “Bind DN” and “Bind password” are correct
- Uncheck “Admin pool lookup on validate” and “User pool lookup on validate.”
- Increase the “Search Timeout”
Screenshot ot LDAP Identity Provider configuration:
- In case of most enterprise customers, LDAP is often load-balanced. You may also face this problem if the load balancer sitting in front of the LDAP servers have blacklisted your AEM Server IP for some reason. If this problem arises, engage the LDAP team to resolve this problem. As a quick test, you may want to hit the LDAP server IP directly bypassing the LDAP load balancer to see if the LDAP authentication in AEM is successful.