000013259 - AXM- How to Improve LDAP Performance by Reducing Admin Group Lookups

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013259
Applies ToAccess Manager 6.0.4
ClearTrust 5.5.3
Default Administrative Group Exists as ONLY Administrative Group 
IssueAXM- How to Improve LDAP Performance by Reducing Admin Group Lookups
Sporadic outages due to high authentication traffic, noting very high CPU utilization traced to admin group lookups via RSA debug logging.
CauseThe parameter "cleartrust.data.ldap.user.add_to_default_admin_group" was introduced via the hotfix process to both CT 5.5.X and AxM 6.0X.  This setting resides in ldap.conf. This parameter alters previous behavior of users being saved to the default administrative group by default.  Also during authentication, instead of the server performing lookups for users against the default administrative group (which can be resource intensive with a very large group), the lookup occurs against the indexed attribute of ctscPublicMemberList/ctscPrivateMemberList.
ResolutionWhen this setting is set to FALSE, the original integrity of the function is maintained, but performance is greatly increased by allowing the AServer to bypass searching large administrative groups. This functionality was added originally as a hot fix to both the RSA ClearTrust and Access Manager products. Contact RSA Customer Support and request Hot Fix ClearTrust  or Access Manager or later, noting all hot fixes are cumulative.

The format for setting this feature on in ldap.conf is:

cleartrust.data.ldap.user.add_to_default_admin_group  :false

Legacy Article IDa44100