Enabling LDAP configuration slows down hub performance

Document ID : KB000006451
Last Modified Date : 18/04/2018
Show Technical Document Details
Issue:

After enabling LDAP/Active Directory integration with the UIM Hub, the hub may experience slow performance.  User logins may fail intermittently, and the hub may even restart unexpectedly.

 

Environment:
This occurs in large LDAP/AD environments where a large number of users are present, and especially when those users are members of a large number of Active Directory Groups.For example, the issue was observed in an environment with 1,000 users, each of whom were members of around 100 groups.
Cause:

The UIM hub periodically queries the LDAP users and enumerates the list of groups they're in, and caches this information.

If the users are members of a large number of groups, the processing of the results can bog down the hub, leading to performance issues.

 

 

Resolution:

This issue can be resolved by configuring the hub NOT to cache the group membership information, but instead, to look up each user as they log in, in order to determine what groups they belong to.  This can slow down the login process by a few seconds but will otherwise resolve the performance problems seen in such environments.

 

To set this up, backup and then edit the hub configuration file (hub.cfg) and set the following keys under the LDAP->Templates->Active Directory section:

 

member_lookup_reverse=yes

lookup=yes

attr_usr_member_of = 

 

(that last key should be set to a blank value, removing the default value 'memberOf').
Restart the hub after saving the file.