cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

xMII LDAP User Configuration query problem

Go to solution
Former Member

on ‎11-14-2007 5:22 AM

0 Kudos

Hi,

We have configured all query in LDAP User Configuration for the authentication using Active Directory, but we have had performance problems at the login moment, we configured the logs to debug mode and we saw that the query is executed for read all users of each role of the user that try to login, and after that by each user of the query read their attributes, this take a lot of time when is have a great amount of users.

In order to be able to solve this situation we put a dummy query in “Select Users for Role” field that does not return anything at the moment for executing it, this did that the login was better.

Is possible make other method to avoid this execution in the login?

Regards,

Rodrigo Ponce de Leó

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-14-2007 2:59 PM
0 Kudos

Hi Ringo,

The LDAP user configuration is for authorization of a user. The Login Policies are for authentication.

After a users username and password is verified, xMII then asks for the users custom attributes, roles, and role attributes (if any).

Typically, the role attribute query can slow things down a lot because many customers have a lot of roles and xMII has to query each role for attributes.

If you aren't using any custom attributes on a role you can delete that query and that should speed things up.

Hope that helps,

- Tim

Show replies
Show replies
Former Member
‎11-15-2007 7:31 AM
0 Kudos

Hi Tim,

The problem is not with the role attributes or user attributes query, basically is with the Select Users for Role query noted in Step #6 below. The pattern of what happens when a user logs in (in our case is using NTLM):

1. User credential are received

2. Read the user (Select User Query)

3. Read user attributes (Select User Attributes Query)

4. Read user roles (Select Roles for the User Query)

5. Read role name for each user role (Select role by Distinguished Name)

6. Read users for each role of the user from step 4 (Select users for role). Problem in performance because some roles have hundred of users.

7. Read each user from step 6 (Select user by Distinguished Name Query).

I appreciate all recommendation for to improve this situation.

Regards,

Rodrigo Ponce de Leó

Former Member
‎11-16-2007 4:05 PM
0 Kudos

Hi Rodrigo,

I think your last four queries are mixed up. The "select roles for user" and "select role by distinguished name" two work together. The first query selects the user distinguished name. It then feeds it into the second query so it can search all the groups "member" attribute looking for the user's distinguished name. Unfortunately, "joins" aren't possible with the SQL like syntax for the LDAP setup, so I had to do the querying in two stages.

This is also true for the "select users for role" which I also changed below.

Unfortunately, the naming of the query fields seem to be causing confusion with customers and the help documentation may not be as clear with the explanation of the fields.

The four queries below are what they should be. (Try these and see if they speed things up)

<b>Select roles for User</b>


select distinguishedName from OU=QNI,OU=Stainless Steel Materials where objectCategory=user and sAMAccountName=?

<b>Select role by distinguished name</b>


select name from OU=QNI,OU=Stainless Steel Materials where objectCategory=group and member=?

<b>Select users for Role</b>


select distinguishedName from OU=QNI,OU=Stainless Steel Materials where objectCategory=group and name=?

<b>Select user by distinguished name</b>


select sAMAccountName name from OU=QNI,OU=Stainless Steel Materials where objectCategory=user and memberOf=?

- Tim

Former Member
‎11-19-2007 12:01 AM
0 Kudos

Hi Tim,

Thanks for the answer. I tested the queries and I had the follow result:

<b>Select roles for User</b>. The result is the user distinguished name. Query test returned 1 record.

<b>Select role by distinguished name</b>. The results are all user roles. Query test returned 84 records.

<b>Select users for Role</b>. The result is the distinguished name of each user role. Query is called 84 times and returned 1 record in each one.

<b>Select user by distinguished name</b>. The results are all user for each user role. Query is called 84 times and in the first call returned 650 records.

I did one test from the browser and the time is better now, because don’t read the roles attributes, but I have one question, why the Security Manager needs all users for each role from the login user? Is necessary the execution of these two last queries?

If you answer is that execution is not necessary, I believe that for our scenario is better put a dummy query in the select user for role which not returns anything for the next query.

Regards,

Rodrigo

Former Member
‎11-19-2007 3:37 PM
0 Kudos

Rodrigo,

Select roles for User. The result is the user distinguished name. Query test returned 1 record. => Correct

Select role by distinguished name. The results are all user roles. Query test returned 84 records. => Correct

Select users for Role. The result is the distinguished name of each user role. Query is called 84 times and returned 1 record in each one. => Correct

Select user by distinguished name. The results are all user for each user role. Query is called 84 times and in the first call returned 650 records. => Correct (means there are 650 users in that role)

The last two queries I don't believe are needed in general use, you should be able to just delete all the text in the last two query boxes.

As you have seen the "Role attributes" query is a slow one because it tries to read the attributes for each of the roles that the user belongs to and if they belong to a lot of roles it can be slow. So, if you don't need any of attributes on the role for your navigation pages, you can delete the text in that query box as well.

- Tim

Former Member
‎11-19-2007 10:11 PM
0 Kudos

Hi Tim,

Thank you for your answers I will not use these queries in the future and the performance is very good now.

Regards,

Rodrigo

Answers (0)

Ask a Question