Redundant LDAP Operations with OSP

Our organization uses Advanced Authentication in combination with Access Manager for step-up authentication. The methods we use are the NetIQ Smartphone app, TOTP, and HOTP. In this configuration, we use Advanced Authentication only for the 'OAuth-based' integration with NetIQ Access Manager, where the user is redirected to the OSP of Advanced Authentication for step-up authentication (using one of the methods mentioned above). As a back-end, we use a clustered eDirectory environment.

We average around 70,000 authentications per day via this 'OAuth-based' integration. We have found that one authentication, for example with TOTP, results in 21 LDAP bind operations on the back-end.

A quick calculation shows that we need to process around 1.4 million bind (query and unbind) operations per day.

When we increase the LDAP trace, we see that many queries for a single authentication (via OSP) are the same or "redundant".

I wonder if others have observed this behavior as well and/or have ideas on how to reduce the load on LDAP back-ends.

This behavior has been observed on version 6.4.2.1, and I am aware that version 6.4.3.2 has been released, but the release notes do not mention any specific improvements regarding the LDAP implementation.

Parents Reply Children
  • 0 in reply to   

    Hi Luciano,

    That’s good news! Although the release notes do not mention it, it’s great to hear that improvements have been made to the LDAP operations. Can you provide more insights into these improvements?

  • 0 in reply to   

    Hi Luciano,

    I’ve upgraded a test environment to version 6.4.3.2, but the number of LDAP bind operations per OSP login remains the same. Additionally, the previously mentioned number of 21 was incorrect; it is actually 14 bind/query/unbind operations per OSP login. We use OSP only for step-up authentication, so I’m unsure why there needs to be so much communication with the LDAP repository.

    As mentioned earlier, this behavior is putting a significant load on our LDAP repository back-end nodes. Do you have any idea how we can reduce this to more manageable levels? The configured user for the repository can maintain a pool of connections where the bind has already occurred. It’s not necessary to unbind and rebind after each query operation.