This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
PankajRana
Beginner
Beginner
‎2020-08-26 01:04 AM

Active Directory collection taking time

Hi All,

Ian Staines‌, Mostafa Helmy

 

I have integrated AD with RSA IGL, I noticed during AD IDC/ADC it is taking time.

e.g. for collection total 18 users (1 new user with other no changes) only it took 6 min.

I have to collect around 25K user/accounts from AD, I am not sure how much time it is going to take.

 

Note: ping response from IGL to AD is 2-4 ms

 

Any suggestion how AD collection can be improved ? also how the AD collector works , will it iterate all the users/account in AD or only changed one.

 

Regards,

Pankaj

Labels (1)
Labels
Reply
19 Replies
CraigRamsay
Moderator Moderator
Moderator
‎2020-08-26 03:59 AM

Hi Pankaj,

 

That response time from your AD Domain Controller seems pretty high, which would explain the high collection times.

 

Are there other domain controllers within your Active Domain environment you could test to see if you are seeing similar response times?

 

There are multiple reasons why you may be experiencing these response times such as DNS config or even just physical distance between the servers. I had a customer with IGL server based in the UK trying to retrieve data from a DC in the US and the collection times were reduced massively by using a DC in the UK. I would troubleshoot this with your network guys first to try and get those ping times down and you will see a massive drop in collection time. 25k accounts will be no problem for IGL.

 

Regarding the AD Collector and collectors in general: All collectors collect ALL accounts and permissions, not changes/deltas and AD works via LDAP.

 

Kind regards,
Craig

Reply
IanStaines
Moderator Moderator
Moderator
‎2020-08-26 01:43 PM

Yes, find a better domain controller to connect to, or even stand up one specifically for the collections.  

0 Likes
Reply
PankajRana
Beginner
Beginner
In response to CraigRamsay
‎2020-08-28 06:27 AM

Do you have data flow from AD-IDAM and vice-versa ? customer is asking for the same to understand.

0 Likes
Reply
CraigRamsay
Moderator Moderator
Moderator
In response to PankajRana
‎2020-08-28 06:47 AM

Can you ask them to be more specific in exactly what it is they are looking for when they say data flow?

 

The AD collector is using basic LDAP queries to return data on users and groups. The exact filter on the query will be in the collector config and will be behaving no differently to running these queries using something like LDAP Browser to query the DC.

 

This feels like a secondary issue - if they don't resolve the fact ping responses between the app server and the DC are 2-3 mins then it doesn't matter how simple or complex the LDAP query is.

0 Likes
Reply
PankajRana
Beginner
Beginner
In response to CraigRamsay
‎2020-08-28 07:48 AM

What they want is how data is collected from AD-IDAM.

Also the ping response is 2-3 ms (milliseconds) not minutes.

0 Likes
Reply
CraigRamsay
Moderator Moderator
Moderator
In response to PankajRana
‎2020-08-28 08:31 AM

Sorry I misread that Pankaj but I do agree the time for collecting 18 accounts is definitely too high.

 

Have you shared this guide with the customer: https://community.rsa.com/docs/DOC-36771

 

0 Likes
Reply
PankajRana
Beginner
Beginner
In response to CraigRamsay
‎2020-08-28 11:42 AM

Thanks sure, but i dont think that is going to help them.

Anyways, Any idea how much time it generally take to collect 20K account and 200 Group + their members in RSA ?

0 Likes
Reply
IanStaines
Moderator Moderator
Moderator
‎2020-08-28 11:53 AM

What are you using for your User Base DN?   If you are pointing this to the root of the directory you may be asking AD to search through millions of records to find the 18 users.   

The User Base DN should point to the object containing the users, and not the root of the server.

If you wish to collect from multiple containers you may need to use separate collectors.

You can also bind to the Global Catalog domain (with some limitations) to get AD users if you must collect across multiple domains and have no other solutions. 

You can can see the actual response time from AD for the search query if you do a tcpdump packet capture (best done using non SSL mode) and inspecting the LDAP request and response.



Reply
IanStaines
Moderator Moderator
Moderator
In response to IanStaines
‎2020-08-28 11:55 AM

You can also test this out of band using the ldapsearch command (installed on our appliances by default).


For example the following command emulates a typical search for 1000 users that would be generated by RSA IG&L.

 

ldapsearch -h 192.168.10.10 -p 389 -D '2k8r2-vcloud\administrator' -w password -z 1000 -b 'ou=vcloud users,dc=2k8r2-vcloud,dc=local' '(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=*))' mail givenName objectGUID sn department title sAMAccountName

Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.