• State Verified Answer
  • Replies replies
    8
  • Answers answer
    1
  • Subscribers subscribers
    15
  • Views views
    440
  • Users 0 members are here

Redundant LDAP Operations with OSP

Tom de Haas

Our organization uses Advanced Authentication in combination with Access Manager for step-up authentication. The methods we use are the NetIQ Smartphone app, TOTP, and HOTP. In this configuration, we use Advanced Authentication only for the 'OAuth-based' integration with NetIQ Access Manager, where the user is redirected to the OSP of Advanced Authentication for step-up authentication (using one of the methods mentioned above). As a back-end, we use a clustered eDirectory environment.

We average around 70,000 authentications per day via this 'OAuth-based' integration. We have found that one authentication, for example with TOTP, results in 21 LDAP bind operations on the back-end.

A quick calculation shows that we need to process around 1.4 million bind (query and unbind) operations per day.

When we increase the LDAP trace, we see that many queries for a single authentication (via OSP) are the same or "redundant".

I wonder if others have observed this behavior as well and/or have ideas on how to reduce the load on LDAP back-ends.

This behavior has been observed on version 6.4.2.1, and I am aware that version 6.4.3.2 has been released, but the release notes do not mention any specific improvements regarding the LDAP implementation.

Parents
  • 0

    We had experienced severe performance issues due to LDAP operations. It turned out that it had to do with groups - we have hundreds of groups in eDirectory and each user has up to about 50 group memberships. This caused user search operations from AA in LDAP take nearly 20s or timeout after 20s.

    Our workaround was to put the few groups we need in AA in a separate container, and limit the scope were AA looks for groups to this container.

    Is possibly what you are observing related to groups too?

  • 0 in reply to 

    That’s correct; we faced the same issue in the early versions of AAF (5.x), which prompted us to discontinue the use of groups entirely. We haven’t defined any search-based criteria for groups. In this context, the main concern is the extensive number of bind, query, and unbind operations required to retrieve user data.

Reply
  • 0 in reply to 

    That’s correct; we faced the same issue in the early versions of AAF (5.x), which prompted us to discontinue the use of groups entirely. We haven’t defined any search-based criteria for groups. In this context, the main concern is the extensive number of bind, query, and unbind operations required to retrieve user data.

Children
No Data

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.