Timeout error after enabling LDAP Nested search for Microsoft Active Directory

Once you enable Nested search option while searching the SCIM users or groups, the time taken for the SCIM API to response might be increased. As a result, sometimes you might see that the SCIM search returns empty or 504 Gateway timeout error in the logs.

Symptoms

• 504 Gateway timeout error is displayed.
• Or, you get no response.

Cause

• The connection needs more time than usual to search SCIM users or groups.
• You might be searching many SCIM users or groups in a single query after enabling the Nested search option.
• The underlying LDAP server has many nesting levels.

Resolving the problem

1. Increase the OCP (OpenShift Container Platform) route timeout by using the following code:

   oc -n <your-foundational-services-namespace> annotate route cp-console --overwrite haproxy.router.openshift.io/timeout=60s
   

2. Disable the Nested search if it is not required. LDAP Nested Search can be a very expensive operation and it can go worse if the nesting level increases.