LDAP authentication - ldap_bind() method is very slow

It may worth mentioning what LDAP server are you using. If you are using Windows AD/LDAP this may be useful:

Windows tries to retrieve a fresh CRL (certificate revocation list) from both its own and third-party servers. This looks like it times out in exactly 15 seconds. This might be the case if the machine is isolated or doesn’t have internet access to those resources (blocked/firewall, slow connection etc).

If your CA/Certificate is already available on the webserver you can try to lower the timeout to see if it solves the issue?

We just need to follow these steps on the Server:

Start gpedit.msc -> Local Computer policy -> Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> Turn off automatic root certificate update = Enabled

Start gpedit.msc -> Local Computer policy -> Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policy -> Certificate Path Validation Path. Select tab “Network Retrieval” and enable the “Define these policy settings”. Deselect “Automatic update root….” And most important set the timeout values to 1.

You can grab a network packet capture (e.g. Wireshark) -- since you're using clear text LDAP, it would be readable. You'll see fine-resolution timestamps on packets and can identify where the delay occurs. You can also break the time for different components of the authentication process out within the code to get a better idea of what is taking a long time (example below).

Are there underlying network problems -- for instance a lot of re-transmitted packets?

Where SSL is used, negotiating the SSL session can take a long time.

Do you get different results using the load balanced VIP (if one exists) and each directory server? There could be a specific server that is performing poorly. I've also ran across load balancer configurations that introduced a great deal of delay (the VIP was slow, each directory server was fine) and been able to engage the network team by providing good statistics.

<?php
// Turn off all error reporting
error_reporting(0);
function getLDAPBindTime($strHostname, $iPort, $strDescription){
    $ldaprdn  = 'uid=SystemAccount,ou=SystemIDs,o=Company';
    $ldappass = 'SystemAccountPassword';
    $ldaproot = 'ou=SystemIDs,o=Company';
    $iUserObjectClass  = 'inetOrgPerson';
    echo "<tr><td>$strHostname</td><td>$strDescription</td>";

    $strConnectString = "ldaps://" . $strHostname . ":" . $iPort;

    $totaltime = microtime();
    $totaltime = explode(' ', $totaltime);
    $totaltime = $totaltime[1] + $totaltime[0];
    $totalbegintime = $totaltime;


    $ds = ldap_connect($strConnectString) or $tempflag = 1;
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3) or $ldaperrflag = 1;
    $totaltime = microtime();
    $totaltime = explode(' ', $totaltime);
    $totaltime = $totaltime[1] + $totaltime[0];
    $bindbegintime = $totaltime;

    if ($ds) {
        $scriteria="(&(objectClass=$iUserObjectClass))";
        $ldapbind = ldap_bind($ds, $ldaprdn, $ldappass) or $otherflag =1;
        $resultcode = ldap_errno($ds);
        if($resultcode != 0){
            $ldaperrflag = 2;
        }
        else{
            $totaltime = microtime();
            $totaltime = explode(' ', $totaltime);
            $totaltime = $totaltime[1] + $totaltime[0];
            $querybegintime = $totaltime;

            $sr=ldap_search($ds,$ldaproot,$scriteria);
            $info = ldap_get_entries($ds, $sr);
            if($info["count"] > 3){
                $ldaperrflag = 0;
            }
            else{
                $ldaperrflag = $ldaperrflag + 5;
            }
        }
        ldap_close($ds);
    }

    $totaltime = microtime();
    $totaltime = explode(" ", $totaltime);
    $totaltime = $totaltime[1] + $totaltime[0];
    $totalendtime = $totaltime;

    $totaltime = ($totalendtime - $totalbegintime)*1000;
    $totalconnect = ($bindbegintime - $totalbegintime)*1000;
    $totalbind = ($querybegintime - $bindbegintime)*1000;
    $totalquery = ($totalendtime - $querybegintime)*1000;

    $totaltime = round($totaltime,2);
    $totalconnect = round($totalconnect,2);
    $totalbind = round($totalbind,2);
    $totalquery = round($totalquery,2);

    if($ldaperrflag == 2 || $ldaperrflag == 6 || $ldaperrflag == 3 || $ldaperrflag == 7 || $ldaperrflag == 8 || $ldaperrflag == 1){
        echo "<td><font color=red>Failed to connect or bind to server</font></td><td>n/a</td><td>n/a</td><td>n/a</td><td>$totaltime ms</td>";
    }
    if($ldaperrflag == 5){
        echo "<td><font color=red>Bind successful, search failed</font></td><td>$totalconnect ms</td><td>$totalbind ms</td><td>$totalquery ms</td><td>$totaltime ms</td>";
    }
    if($ldaperrflag == 0){
        echo "<td><font color=green>Bind and search successful</font></td><td>$totalconnect ms</td><td>$totalbind ms</td><td>$totalquery ms</td><td>$totaltime ms</td>";
    }
    echo "</tr>";

}


set_time_limit(300);

echo "<head><title>iPlanet LDAP Service Status</title></head><body>";
echo "<h3>iPlanet LDAP Service Status</h3>";

echo "<table cellpadding=1 border=1>";
echo "<tr><td><b>Server</b></td><td><b>Description</b></td><td><b>Status</b></td><td><b>Connect Time</b></td><td><b>Bind Time</b></td><td><b>Query Time</b></td><td><b>Total Time Elapsed</b></td></tr>";


getLDAPBindTime("VIPName.company.gTLD", 636, "ldap.company.gTLD VIP");
getLDAPBindTime("hostname1.company.gTLD", 1636, "LDAP Master Server");
getLDAPBindTime("hostname2.company.gTLD", 1636, "LDAP Master Server");

echo "</table><P>";


echo "</table><p>";
putenv('TZ=GMT');
echo "<font size=-1><P><i>Current time in GMT is ";
echo date("d M Y H:i");
echo '</i><P><a href="https://site.company.gTLD:1977/svcstatus/">Back</a></font>';

echo "</body>";
?>