|
Active Directory Plug-In Timeout values |
|
|
Written by Philip Rinehart
|
|
Tuesday, 26 September 2006 |
One of the problems that has recently cropped up in our deployment of Active Directory is the long timeouts logging in when users leave the internal network.
Why is the such a problem?
The AD plug-in expects to be able to communicate with the GC (Global Catalog) Domain Controllers when logging in. If not, most of our users were experiencing large timeout values, sometimes as long as 20 minutes when off campus. This behavior in large part is due to a very common configuration, keeping the Domain Controllers behind a firewall, thus being unresolveable when not on the internal network.
For our deployment, this was a show stopper, as mobile users simply could not tolerate long delays when off campus. How could we potentially solve this issue? The solution lies in editing the ActiveDirectory.plist. The Directory Access utility allows direct configuration of the LDAP timeout, the Active Directory plug-in does not. Opening up the plist from /Library/Preferences/DirectoryService, search for the relevant sections of the plist. In this case, there is one top level key:
LDAP Connection Timeout
240
By default it is set at 240 seconds, or 4 minutes. That doesn't seem so bad, does it? Wait, there is more...
AD GC Node
AD KP Server Port
464
AD KP Servers
1
dc.example.com
AD Kerberos Server Port
88
AD Kerberos Servers
1
dc2.example.com
LDAP Connection Timeout
240
LDAP SearchBase
LDAP Server Port
3268
LDAP Servers
1
dc.example.com
2
dc.example2.com
This is a nested dictionary, containing timeout values for each domain controller. The more domain controllers, the longer the timeout value. In this case, our environment had 5 domain controllers. Simple math really for the timeout, 5 controllers x 4 minutes = 20 minutes delays!
Ouch! The solution is simple, edit the values for the Connection timeout, and the delay will be reduced by many orders of magnitude. This is critical for mobile users, as there information is cached, so the delay reduction should not cause problems. Note though, this file has the potential to change upon rebinding, or changing of any value in the AD Plug-in.
To make this a little less painful, here is a script which can be run after joining a machine, or any other time to change the values back to a lower value.
#!/usr/bin/python
import plistlib
import sys
try:
plist = plistlib.Plist.fromFile('/Library/Preferences/DirectoryService/ActiveDirectory.plist')
for key in plist['AD Domain Node List']:
plist['AD Domain Node List'][key]['LDAP Connection Timeout'] =
plist['LDAP Connection Timeout'] =
plist.write('/Library/Preferences/DirectoryService/ActiveDirectory.plist')
except IOError, (strerror):
print strerror
except:
print "Unexpected error:", sys.exc_info()[0]
Note: This code will overwrite your existing Active Directory configuration. Best practice is to backup the file first, this code is mainly intended as an example of how one can change keys using a script. Additionally, this example code, does not have timeout values, insert the desired values in the code above.
 Add as favourites (265) |  Quote this article on your site | E-mail
Only registered users can write comments.
Please login or register. Powered by AkoComment Tweaked Special Edition v.1.4.4 |
|
Last Updated ( Tuesday, 13 March 2007 )
|
