Article Number
000013259
Applies To
Access Manager 6.0.4
ClearTrust 5.5.3
Default Administrative Group Exists as ONLY Administrative Group
Issue
AXM- How to Improve LDAP Performance by Reducing Admin Group Lookups
Sporadic outages due to high authentication traffic, noting very high CPU utilization traced to admin group lookups via RSA debug logging.
Cause
The parameter "cleartrust.data.ldap.user.add_to_default_admin_group" was introduced via the hotfix process to both CT 5.5.X and AxM 6.0X. This setting resides in ldap.conf. This parameter alters previous behavior of users being saved to the default administrative group by default. Also during authentication, instead of the server performing lookups for users against the default administrative group (which can be resource intensive with a very large group), the lookup occurs against the indexed attribute of ctscPublicMemberList/ctscPrivateMemberList.
Resolution
When this setting is set to FALSE, the original integrity of the function is maintained, but performance is greatly increased by allowing the AServer to bypass searching large administrative groups. This functionality was added originally as a hot fix to both the RSA ClearTrust and Access Manager products. Contact RSA Customer Support and request Hot Fix ClearTrust 5.5.3.161 or Access Manager 6.0.4.02 or later, noting all hot fixes are cumulative.
Notes
The format for setting this feature on in ldap.conf is:
cleartrust.data.ldap.user.add_to_default_admin_group :false
