Why 2 LDAP Requests for DevTest LDAP Authentication?

Document ID : KB000117689
Last Modified Date : 17/10/2018
Show Technical Document Details
There are 2 LDAP searchRequest sent when the user authenticates.

The first request "searchRequest baseOjbect" with no result because the user entry is located in a subplace. And the second request "searchRequest wholeSubtree", with one result. 

Why 2 requests ? One request "searchRequest wholeSubtree" can make the same thing (and avoid unuseful solicitations). 

We made a tcpdump on the registry server. And analyzed it using wireshark. 

These references were found in the transaction between Registry and LDAP. 
Why DevTest makes the LDAP queries :

1) There are 2 requests because the first is a connect (bind LDAP context), the second is the actual user authentication. 

2) The authentication actually uses a subtree query, e.g. Searching for user 'admin', with user search [ searchFilter: '(objectClass=user)', searchBase: 'dc=ca,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ] 

3) By design it is not possible for DevTest to limit the number of attributes to return, the authentication-providers.xml configuration file can be changed to make the LDAP query more effective in case that's the issue. Specifically the (user-search-base) section can limit the number of results, e.g. (user-search-base)dc=ca,dc=com(/user-search-base) 

For #2 and #3 please also refer to https://docops.ca.com/devtest-solutions/10-3/en/administering/security/access-control-acl/configure-authentication-providers-for-acl 

4) Wireshark is not needed to get the LDAP traffic, there are log files in the lisatmp directory in either acl.log or registry.log files.