Symptoms
Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) search base is too large. The ECS LDAP timeout value is exceeded. This results in an intermittent login failure of domain users.
Cause
The current AD or LDAP search base has to find the user within numerous folders on the AD or LDAP Server and does not succeed within ECS LDAP timeout period of 1000 milliseconds.
Typically, in this situation, the search base is assigned to the root location of the AD server.
Resolution
Troubleshooting
- Change the search base temporarily to the direct location of a test user who is affected by the intermittent login failure.
- Log in as that user multiple times to confirm successful logins.
- If the user is now constantly logging in successfully, then the search base size exceeds the default LDAP timeout issue of 1000 milliseconds.
Resolution
Change the search base beyond the AD server root location to a more specific location in order to not exceed the LDAP timeout value of 1000 milliseconds.
If the user is unable to limit the size of the search base, the search base must be set at the root location of the AD server. Open a Service Request (SR) and quote this article for Dell EMC ECS support to review the LDAP timeout configuration value. It is a requirement that ECS is on a minimum code level of 3.4.0.1 before the LDAP timeout change is implemented on all VDCs in the federation.
Additional Information
Whenever there is an ECS software upgrade, the LDAP timeout value changes to the default 1000 milliseconds. Ensure to check and change to the configured value after the upgrade.