|Applies To||Access Manager 6.0.4|
Default Administrative Group Exists as ONLY Administrative Group
|Issue||AXM- How to Improve LDAP Performance by Reducing Admin Group Lookups|
Sporadic outages due to high authentication traffic, noting very high CPU utilization traced to admin group lookups via RSA debug logging.
|Cause||The parameter "cleartrust.data.ldap.user.add_to_default_admin_group" was introduced via the hotfix process to both CT 5.5.X and AxM 6.0X. This setting resides in ldap.conf. This parameter alters previous behavior of users being saved to the default administrative group by default. Also during authentication, instead of the server performing lookups for users against the default administrative group (which can be resource intensive with a very large group), the lookup occurs against the indexed attribute of ctscPublicMemberList/ctscPrivateMemberList.|
|Resolution||When this setting is set to FALSE, the original integrity of the function is maintained, but performance is greatly increased by allowing the AServer to bypass searching large administrative groups. This functionality was added originally as a hot fix to both the RSA ClearTrust and Access Manager products. Contact RSA Customer Support and request Hot Fix ClearTrust 220.127.116.11 or Access Manager 6.0.4.02 or later, noting all hot fixes are cumulative.|
The format for setting this feature on in ldap.conf is:
|Legacy Article ID||a44100|