CA APM Webview takes too long to login for LDAP users who belong to a Nested Group.

Document ID : KB000004157
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

 CA APM Webview client takes long time to login for LDAP users who belong to a nested group in LDAP. 

Environment:
CA APM 9.1.x to CA APM 10.5.x
Cause:

APM 9.x to APM 10.3

 All LDAP groups seem to be queried to determine if a user has entitlements to log into CA APM Introscope Workstation / Webview clients.  This broad/recursive search seems to be the method implemented by CA in order to provide a general-purpose solution for all LDAP's; unfortunately this search method is very inefficient due to the quantity and size of LDAP groups. If a user belongs to a nested group and if you want to disable nested group search then one can put in this property to do so to reduce LDAP query overhead.

 APM 10.5.

 The root cause for the slowness is that ATC is querying users groups, a single realm call (LDAP or EEM or EEM+LDAP) returns all groups where the user belongs directly and is not an issue.

 However, the issue occurs for each of the user groups, it calls realms again to obtain parent groups of the group. Also it is done recursively for each group. So if a user is member of 200 groups, there is at least 200 calls to get parent group for each of them. 

Resolution:

Add the below property in the realms.xml file to disable Nested Group Search.

By default this property is optional and default value is false and by default the code searches for nested groups recursively. 
 
 <!-- Optionally set to true to disable group searching which searches for nested groups. -->
 <!-- Default is false. -->
   <property name="disableNestedGroupSearch">
     <value>true</value>
   </property>

 

 

Additional Information:

  Note: For LDAP realm (not for EEM or EEM+LDAP) it is possible to disable querying for the parent group by setting the below property to true in the LDAP config file.

disableNestedGroupSearch=true

If you set this property to true, that user won't be able to access universes assigned to groups which are "indirectly" (via another group) assigned to the user. However, your login will be much faster. The new implementation was to make use of the same for EEM configuration

 

https://support.ca.com/us/knowledge-base-articles.tec595290.html   -- Configuring CA APM to use LDAP Authentication (Introscope and APM CE [CEM]).