Authenticating Harvest users over LDAP is taking too long. How can we make LDAP authentication work more efficiently?

Document ID : KB000055234
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

My LDAP authentications are taking 90 seconds each, or more. This is causing a huge problem with the performance of Harvest. We need to make this as efficient as possible.

The solution below describes how refining ldapbasedn and ldapfilter parameters can improve efficiency of the LDAP queries.

Additional information about configuring Harvest for LDAP authentication can be found in the Administrator's Guide and the Installation Guide.

Information about HAUTHTST can be found in the Reference Guide.

LDAP stands for Lightweight Directory Access Protocol and is a set of standards by which end user applications and user authentication servers (such as Microsoft's Active Directory) can communicate and share information. A good overview on LDAP, including links to sites with more information can be found at http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol .

Solution:

You can have a big impact on the efficiency of your LDAP queries by refining your ldapbasedn and ldapfilter parameters. Here's how:

ldapfilter : By creating more complexity in the filter you write, you can 'rule out' records in the directory that don't need to be searched.

  • '(&(condition-A...)(condition-B...))' means that both condition-A and condition-B must be true for a record to make it through the filter

  • '(|(condition-A...)(condition-B...))' means that either condition-A or condition-B must be true for a record to make it through the filter

  • '(!(condition-A))' means that condition-A must not be true for a record to make it through the filter

ldapbasedn : By specifying multiple basedn's, you can 'rule out' big chunks of your directory and zero in on the sections you need to search. You can specify multiple basedn's by separating each one with a ';' within the ldapbasedn string. An example would look like this:

  • ldapbasedn="ou=users,ou= north america ,dc=ca,dc=com;ou=users,ou=my department,dc=abc,dc=com;ou=users,ou=your department,dc=abc,dc=com;ou=users,ou=their department,dc=abc,dc=com;ou=users,ou=anyones department,dc=abc,dc=com"

To do this properly you need the help of your LDAP administrators in order to create filters and basedn's that specifically target what you're looking for. Because each company can structure LDAP differently, a generic solution cannot be created that would provide the level of detail you need. Your filters and basedn's must be tailored to your unique LDAP database, in order to work most efficiently. Use of the debugging options in the HAUTHTST command line utility can help in detecting the performance problems in the openLDAP layer.