Redundant LDAP Operations with OSP

Our organization uses Advanced Authentication in combination with Access Manager for step-up authentication. The methods we use are the NetIQ Smartphone app, TOTP, and HOTP. In this configuration, we use Advanced Authentication only for the 'OAuth-based' integration with NetIQ Access Manager, where the user is redirected to the OSP of Advanced Authentication for step-up authentication (using one of the methods mentioned above). As a back-end, we use a clustered eDirectory environment.

We average around 70,000 authentications per day via this 'OAuth-based' integration. We have found that one authentication, for example with TOTP, results in 21 LDAP bind operations on the back-end.

A quick calculation shows that we need to process around 1.4 million bind (query and unbind) operations per day.

When we increase the LDAP trace, we see that many queries for a single authentication (via OSP) are the same or "redundant".

I wonder if others have observed this behavior as well and/or have ideas on how to reduce the load on LDAP back-ends.

This behavior has been observed on version 6.4.2.1, and I am aware that version 6.4.3.2 has been released, but the release notes do not mention any specific improvements regarding the LDAP implementation.

Parents
  • Suggested Answer

    0  

    Hello Tom,

    6.4.3.x has been improved in terms of these operations.

    My advice is to plan an upgrade or test it in a test environment first.

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    Hi Luciano,

    I’ve upgraded a test environment to version 6.4.3.2, but the number of LDAP bind operations per OSP login remains the same. Additionally, the previously mentioned number of 21 was incorrect; it is actually 14 bind/query/unbind operations per OSP login. We use OSP only for step-up authentication, so I’m unsure why there needs to be so much communication with the LDAP repository.

    As mentioned earlier, this behavior is putting a significant load on our LDAP repository back-end nodes. Do you have any idea how we can reduce this to more manageable levels? The configured user for the repository can maintain a pool of connections where the bind has already occurred. It’s not necessary to unbind and rebind after each query operation.

  • 0   in reply to 

    Hi Tom,

    I confirmed with Development that the OSP does not perform LDAP operations with AA. It's AA that does that.

    In any case, can we get a set of logs? Perhaps you can open a ticket with TS and we can follow up there.

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    Hi Luciano,

    Thank you for your response!

    The fact that OSP itself does not make direct calls to the LDAP backend was so implicit for me that I didn’t mention it. Of course, the interaction with the LDAP backend happens via Aucore, and OSP uses the Aucore API.

    I focused specifically on OSP, but it’s possible that the usual flow (Create Endpoint > Get Chains > Logon > Login) could result in multiple calls to the LDAP backend.

    I will further extend the test setup with our own implementations to see if I can link the number of LDAP backend calls to the specific API calls. I’ll compile this information along with the OSP logs, and for that, I will create an SR.

Reply
  • 0 in reply to   

    Hi Luciano,

    Thank you for your response!

    The fact that OSP itself does not make direct calls to the LDAP backend was so implicit for me that I didn’t mention it. Of course, the interaction with the LDAP backend happens via Aucore, and OSP uses the Aucore API.

    I focused specifically on OSP, but it’s possible that the usual flow (Create Endpoint > Get Chains > Logon > Login) could result in multiple calls to the LDAP backend.

    I will further extend the test setup with our own implementations to see if I can link the number of LDAP backend calls to the specific API calls. I’ll compile this information along with the OSP logs, and for that, I will create an SR.

Children