Home

LDAP: Once the user is logged in is there any further communication with LDAP?

We are seeing differences in performance between users authenticated with LDAP vs those with local passwords.  This is not a difference in log-in time.  It is a slower response to every new page or command.
1- Is there further LDAP communication after the user is logged in?
2- Is it possible that the LDAP users are accessing via a slower port?
3- Are there any other factors that could be involved?

Agile User Asked on August 20, 2015 in IT and Networking.
Add Comment
Cancel
4 Answer(s)

What version of Agile are you running on what infrastructure? In my experience (9.3.1 & 9.3.3 on Weblogic / linux) login is handled by weblogics embedded ldap function. Approval is done in the Agile application.

There are different configurations for each so they could be set using different servers / filters and this could account for your performance difference. I would suggest you compare LDAP settings in the Java Client to Weblogic as a starting point.

Cancel
Agile Angel Answered on August 21, 2015.
Add Comment
Cancel

Environment:
Agile 9.3.3

Windows 2008 R2

AD-LDS with Optimal’s IDM virtual directory handling LOB authentication

Configuration: URL through an F5 load balancer

 

Comparative Times:

Search: Select Project: Open Task   – LDAP User  – 20 sec; Agile User 10 sec

Search: Select Project, Open Navigator, Expand, Open Task    LDAP User  – 28 sec; Agile User 9 sec

It takes 2-3x longer for a LDAP user than an Agile basic user.

The question keeps coming up: “What LDAP calls are being made?”  Anyone know how to trace or log the LDAP calls Agile makes?

Is anyone using LDAP and not experiencing significant performance hits?

Cancel
Agile User Answered on August 24, 2015.
Add Comment
Cancel

You may have your User Base DN and/or Group Base DN pointing to high in the AD hierarchy.  
You might want to check the configuration in the Java Client & Weblogic to make sure these are pointing to the right locations in the Active Directory Server.  

If the User Base DN and Group Base DN are pointing to the top of the hierarchy rather than where they are actually located in AD – it causes too many unrelated objects to be returned as well as slow performance issues.  Some of the objects can even cause the operation to fail.

Cancel
Agile Angel Answered on August 31, 2015.
Add Comment
Cancel

What we are seeing from a system trace are 4 actions for every LDAP query and every action is generating an LDAP query.  The actions are:
1- Search for Service account UID  – 0 results
2- Search for UID = returns person 1 results
3- Search for Service account UID  – 0 results
4- Search for Group Membership for person – returns all  members of each group(?) ~1000 results

Where are these queries defined?  How do they get called?  Why?

Cancel
Agile User Answered on September 9, 2015.
Add Comment
Cancel

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.