How to Resolve CA Advanced Authentication: Timeout Fetching Users

The CA Advanced Authentication is a Multi-Factor, Risk-based Authentication solution from Broadcom that conveniently extent CA Single Sign-On (formerly Siteminder) capability to protect web applications.

Problem

Typically after installing an instance of CA Advanced Authentication, you could test the implementation with the ca-strongauth-sampleapp sample application or by making your own API calls directly. In some scenarios,  you may encounter a persistent Server Request Timeout error when making a Fetch User call.

Upon investigating the logs may reveal errors similar to that below:

01/08/20 01:37:36.157 INFO  TXNNATIVE   00008988 00007019 - [UDS] Either Read Timeout occurred after [10000 ms] or connection [00000224AD610500] is closed by UDS server!06/08/20 01:37:36.157 DEBUG TXNNATIVE   00008988 00007019 - [UDS] TRACE: CallTrace::Leaving : [UdsServiceDefaultImpl::RSPCallbacktmp op [GETUSER] context []]. time : 10002

Cause

If the user store is configured to an Active Directory and the search base is configured to use an OU higher up in the tree (often the case if you have multiple OUs holding user accounts in different departments), numerous LDAP referrals can occur which could slow down the processing.

Solution

CA Advanced Authentication has a property file udserver.init which can be configured to ignore LDAP referrals by setting the flag as follows:

LDAP_REFFERAL_IGNORE_FLAG=ignore