This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Selecting users and groups from LDAP Server

We are running PAM 4.1 and are looking into upgrading from the Command Control policy engine to the Access Control policy engine. When creating a user role, if we drill down into our LDAP server to add a user/group, we get the following, with the three dots animating but minutes pass without anything being displayed. We do have many users/groups in eDir but how long do we need to wait until entries start appearing? Our users OU has ~400k entries and we have the Base DN of the eDir LDAP Server set to the user OU.

  • 0  

    Hi Achinayoung,

    Try the below in the sequence mentioned - 


    1) In PAM LDAP configuration, set the scope to 'Subtree' and retry the LDAP browsing. (Assuming the scope is set to 'One' in the PAM LDAP configuration).

    2) If the above does not work, in the PAM LDAP configuration, set the "baseDN" to the parent container of the Users container and retry the LDAP browsing.

    Regards

    -KPRajesh

  • 0 in reply to   

    I tried #1 and that only lists the two OU's underneath ou=users. If I click on ou=users, I am back where I started, with the three dots in a wave pattern minutes on end with no users displayed.

    I tried #2 and, with scope="Subtree", get something similar to attempt #1. If I click on "users", I am back where I started, with the three dots in a wave pattern minutes on end with no users displayed.

    Seems PAM is not designed to handle a large number of users in the LDAP directory.

  • 0   in reply to 

    Hi Achinayoung,


    PAM does work with large number of objects, it has been tested with atleast 100K objects...
    Internally it uses LDAP VLV paging.

    You could check the PAM logs, unifid.log for more details.

    You could also check the browser logs in the Developer Tools >  Network tab to get more details on the Request and response details.

    Regards

    -KPRajesh

  • 0 in reply to   

    Found the problem. I was querying against the old eDirectory server. Once I switched to the new eDirectory server, the users appeared in <10s. Thank you for your time!