Articles‎ > ‎

Fixing Active Directory timeout values

posted Dec 22, 2008, 7:24 AM by Philip Rinehart   [ updated Dec 22, 2008, 7:24 AM by Greg Neagle ]
Written by Philip Rinehart   
Tuesday, 26 September 2006
One of the problems that has recently cropped up in our deployment of Active Directory is the long timeouts logging in when users leave the internal network. Why is the such a problem?

The AD plug-in expects to be able to communicate with the GC (Global Catalog) Domain Controllers when logging in. If not, most of our users were experiencing large timeout values, sometimes as long as 20 minutes when off campus. This behavior in large part is due to a very common configuration, keeping the Domain Controllers behind a firewall, thus being unresolveable when not on the internal network. 

For our deployment, this was a show stopper, as mobile users simply could not tolerate long delays when off campus. How could we potentially solve this issue? The solution lies in editing the ActiveDirectory.plist. The Directory Access utility allows direct configuration of the LDAP timeout, the Active Directory plug-in does not. Opening up the plist from /Library/Preferences/DirectoryService, search for the relevant sections of the plist. In this case, there is one top level key: 

LDAP Connection Timeout
By default it is set at 240 seconds, or 4 minutes. That doesn't seem so bad, does it? Wait, there is more... 

                AD GC Node

AD KP Server Port 464
AD KP Servers 1 AD Kerberos Server Port 88 AD Kerberos Servers
1 LDAP Connection Timeout 240 LDAP SearchBase LDAP Server Port 3268 LDAP Servers 1 2
This is a nested dictionary, containing timeout values for each domain controller. The more domain controllers, the longer the timeout value. In this case, our environment had 5 domain controllers. Simple math really for the timeout, 5 controllers x 4 minutes = 20 minutes delays! 

Ouch! The solution is simple, edit the values for the Connection timeout, and the delay will be reduced by many orders of magnitude. This is critical for mobile users, as there information is cached, so the delay reduction should not cause problems. Note though, this file has the potential to change upon rebinding, or changing of any value in the AD Plug-in. 

To make this a little less painful, here is a script which can be run after joining a machine, or any other time to change the values back to a lower value.

import plistlib
import sys

plist = plistlib.Plist.fromFile('/Library/Preferences/DirectoryService/ActiveDirectory.plist')
for key in plist['AD Domain Node List']:
plist['AD Domain Node List'][key]['LDAP Connection Timeout'] =
plist['LDAP Connection Timeout'] =
except IOError, (strerror):
print strerror
print "Unexpected error:", sys.exc_info()[0]
Note: This code will overwrite your existing Active Directory configuration. Best practice is to backup the file first, this code is mainly intended as an example of how one can change keys using a script. Additionally, this example code, does not have timeout values, insert the desired values in the code above.
Last Updated ( Tuesday, 13 March 2007 )