PQ53953: POTENTIAL AUTHENTICATION PERFORMANCE ISSUES IF USER BELONGS TO ONE OR MORE GROUPS WITH LARGE MEMBERSHIPS.


APAR

APAR status
Closed as program error.

Error description
WebSphere LDAP queries for groups a given user belongs to
request the entire contents of the LDAP group object when only
the group's Distinguished Name is used.  If the group has a
large number of memebers, this can cause the LDAP to take an
excessive amount of time to complete the query and transfer the
data to WebSphere.
Local fix
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users of    *
*                 the LTPA authentication mechanism.           *
****************************************************************
* PROBLEM DESCRIPTION: Potential performance issues with       *
*                      authentication if groups that the a     *
*                      given user belongs to have large        *
*                      memberships.                            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
There is a potential for authentication performance issues if
the user being authenticated is a member in one or more groups
that have many members in them.  The problem is the current
LDAP search performed to find the groups a user belongs to
requests all group attribute which include all members to the
group.  Each member of a group is an attribute to that group.
This can cause excessive response times from LDAP.
Problem conclusion
Since the Distinguished Name is all that was required from the
search, the search was changed to only request this attribute.
Temporary fix
Comments
APAR information
APAR numberPQ53953
Reported component nameWAS ADVANCED SU
Reported component ID5648C8402
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2001-10-24
Closed date2001-11-06
Last modified date2001-12-17

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:

PQ54789

Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:PQ54789Modules/Macros

Fix information
Fixed component nameWAS ADVANCED SU
Fixed component ID5648C8402

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ53953
IBM Group: Software Group
Modified date: 2001-12-17