|Applies To||RSA ClearTrust 5.5.3 Authorization Server (AServer)|
iPlanet 5.1 Directory Server
Microsoft Active Directory 2003
|Issue||What does it mean if "LDAP search" appears in LDAP log files when using RSA ClearTrust?|
LDAP log files show lots of searches for SRCH base="ou=groups,ou=people,dc=rsa.com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=""
|Resolution||This behavior is part of the normal RSA ClearTrust LDAP failover mechanism. When ClearTrust is configured with cleartrust.data.ldap.directory.ad-bind-primary.connection.validate_on_reserve to True, it will execute a dummy query prior to checking out a socket from the connection pool. The query it uses is a read of the baseDN configured in the ldap.conf file. This results in the following log entry in your iPlanet log files:|
SRCH base="ou=groups,ou=people,dc=rsa.com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=""
The cost of this search is minor; it is simply used to confirm the socket is available prior to doing the real search. Normally this search should be in LDAP cache and should not require a direct fetch to the datastore.
The RSA ClearTrust Performance and Tuning Guide states the following:
Note: If the database in use is stable and has a reliable connection to the Authorization Server, consider changing the value of the .connection.validate_on_reserve parameter from true (default) to false. If there is a high latency between the database and the Authorization Server, this change may potentially boost performance.
If you wish to disable these additional queries you can set this setting in the ldap.conf file to false:
Disabling this feature may adversely affect failover to an alternate datastore. Disabling this setting is not recommended if you have a firewall between the AServer and LDAP datastores, or if the connection is over an unreliable WAN link between remote sites.
NOTE: The cleartrust.data.ldap.directory.ad-bind-primary.connection.validate_on_reserve setting was introduced in RSA ClearTrust hot fix 188.8.131.52
|Legacy Article ID||a26833|