PQ48364: OUTPUT OF LDAP QUERY TAKES TOO LONG

A fix is available
PQ60658, 3.5.4, 3.5.5, 3.5.6: Cumulative Interim Security Fix

APAR

APAR status
Closed as program error.

Error description
LDAP queries contains as parameter objectclass. Microsoft uses
in active directory active category as parameter. Object class
will be supported but access takes two minutes by our amount
of exists informations. This performance poor fact by used
objectclass are also documented from LDAP side. At changing
to object category the queries takes two seconds. The query
for searching from a user is configurable. There the object
category can be modified, but it isn't possible for a user to
change the query for the searching groups.
Local fix
Customer wrote a simple socket proxy that replaced all
occurances of objectCategory and the problem did not
come up again. WebSphere often terminates with
transaction timeouts because of the time consuming
LDAP query. The WebSphere class related to this problem is
"com.ibm.ejs.security.registry.ldap.LdapRegistryImpl"
in ibmwebas.jar
Problem summary
When using Microsoft active directory as the LDAP server, it
takes about 1 to 2 minutes to get a response due to large data
stored.  The problem was caused by using filter
ObjectClass=group in the method getGroupsForUser(String)
in LdapRegistryImpl.java. If you replace ObjectClass=group by
ObjectCategory=group, the response time is reduced to 2 seconds
from 1 to 2 minutes.  Checking Microsoft's doc also confirms
that the schema ObjectCategory should be used to improve MS
active directory performance.  Since it is the LDAP standard
way to use objectclass, we have to add an additional filter
for MS active directory.  After modification, Objectclass is
still the default schema, but the user can choose to use
ObjectCategory as the schema. If you choose to use
objectcategory,configure objectcategory as the filter in
'group member Id map' field by adding ;objectCategory:group
to the end of the field.
Problem conclusion
com/ibm/ejs/security/registry/ldap/LdapRegistryImpl.java
Temporary fix
Comments
APAR information
APAR numberPQ48364
Reported component nameWAS ADVANCED AI
Reported component ID5648C8400
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2001-05-02
Closed date2001-07-18
Last modified date2001-07-18

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:


Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWAS ADVANCED AI
Fixed component ID5648C8400

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ48364
IBM Group: Software Group
Modified date: 2001-07-18