• State Verified Answer
  • Replies replies
    8
  • Answers answer
    1
  • Subscribers subscribers
    15
  • Views views
    436
  • Users 0 members are here

Redundant LDAP Operations with OSP

Tom de Haas

Our organization uses Advanced Authentication in combination with Access Manager for step-up authentication. The methods we use are the NetIQ Smartphone app, TOTP, and HOTP. In this configuration, we use Advanced Authentication only for the 'OAuth-based' integration with NetIQ Access Manager, where the user is redirected to the OSP of Advanced Authentication for step-up authentication (using one of the methods mentioned above). As a back-end, we use a clustered eDirectory environment.

We average around 70,000 authentications per day via this 'OAuth-based' integration. We have found that one authentication, for example with TOTP, results in 21 LDAP bind operations on the back-end.

A quick calculation shows that we need to process around 1.4 million bind (query and unbind) operations per day.

When we increase the LDAP trace, we see that many queries for a single authentication (via OSP) are the same or "redundant".

I wonder if others have observed this behavior as well and/or have ideas on how to reduce the load on LDAP back-ends.

This behavior has been observed on version 6.4.2.1, and I am aware that version 6.4.3.2 has been released, but the release notes do not mention any specific improvements regarding the LDAP implementation.

Parents

  • Suggested Answer

    0  

    Hello Tom,

    6.4.3.x has been improved in terms of these operations.

    My advice is to plan an upgrade or test it in a test environment first.

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    Hi Luciano,

    I’ve upgraded a test environment to version 6.4.3.2, but the number of LDAP bind operations per OSP login remains the same. Additionally, the previously mentioned number of 21 was incorrect; it is actually 14 bind/query/unbind operations per OSP login. We use OSP only for step-up authentication, so I’m unsure why there needs to be so much communication with the LDAP repository.

    As mentioned earlier, this behavior is putting a significant load on our LDAP repository back-end nodes. Do you have any idea how we can reduce this to more manageable levels? The configured user for the repository can maintain a pool of connections where the bind has already occurred. It’s not necessary to unbind and rebind after each query operation.

Reply
  • 0 in reply to   

    Hi Luciano,

    I’ve upgraded a test environment to version 6.4.3.2, but the number of LDAP bind operations per OSP login remains the same. Additionally, the previously mentioned number of 21 was incorrect; it is actually 14 bind/query/unbind operations per OSP login. We use OSP only for step-up authentication, so I’m unsure why there needs to be so much communication with the LDAP repository.

    As mentioned earlier, this behavior is putting a significant load on our LDAP repository back-end nodes. Do you have any idea how we can reduce this to more manageable levels? The configured user for the repository can maintain a pool of connections where the bind has already occurred. It’s not necessary to unbind and rebind after each query operation.

Children

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.