000022090 - What does it mean if 'LDAP search' appears in LDAP log files when using RSA ClearTrust?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022090
Applies ToRSA ClearTrust 5.5.3 Authorization Server (AServer)
iPlanet 5.1 Directory Server
Microsoft Active Directory 2003
IssueWhat does it mean if "LDAP search" appears in LDAP log files when using RSA ClearTrust?
LDAP log files show lots of searches for SRCH base="ou=groups,ou=people,dc=rsa.com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=""
ResolutionThis behavior is part of the normal RSA ClearTrust LDAP failover mechanism. When ClearTrust is configured with cleartrust.data.ldap.directory.ad-bind-primary.connection.validate_on_reserve to True, it will execute a dummy query prior to checking out a socket from the connection pool. The query it uses is a read of the baseDN configured in the ldap.conf file. This results in the following log entry in your iPlanet log files:

SRCH base="ou=groups,ou=people,dc=rsa.com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=""

The cost of this search is minor; it is simply used to confirm the socket is available prior to doing the real search. Normally this search should be in LDAP cache and should not require a direct fetch to the datastore.
The RSA ClearTrust Performance and Tuning Guide states the following:
Note: If the database in use is stable and has a reliable connection to the Authorization Server, consider changing the value of the .connection.validate_on_reserve parameter from true (default) to false. If there is a high latency between the database and the Authorization Server, this change may potentially boost performance.

If you wish to disable these additional queries you can set this setting in the ldap.conf file to false:


Disabling this feature may adversely affect failover to an alternate datastore. Disabling this setting is not recommended if you have a firewall between the AServer and LDAP datastores, or if the connection is over an unreliable WAN link between remote sites.

NOTE: The cleartrust.data.ldap.directory.ad-bind-primary.connection.validate_on_reserve setting was introduced in RSA ClearTrust hot fix
Legacy Article IDa26833