PQ94008: Use objectCategory instead of objectClass to search MSAD server | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Operating System and Level:Windows 2000 WAS 6 uses inefficient less than optimal search filters for Active Directory. By default WAS 6 uses objectClass to search Active Directory, it should use objectCategory which is indexed and has a better performance. This seems to have been fixed in V6 under cmvc defect 225376. Now, we need to backport it to V5 and V4.Local fix Filters can be manually modified, and "Custom" registry "type" used.Problem summary **************************************************************** * USERS AFFECTED: WebSphere Application Server users who have * * enabled Global Security and configured * * Microsoft Active Directory Server as the * * LDAP server in use. * **************************************************************** * PROBLEM DESCRIPTION: The default search filters in * * Microsoft Active Directory server are * * not optimized. * **************************************************************** * RECOMMENDATION: * **************************************************************** In previous release, the default search filter for Microsoft Active Directory server was based on ObjectClass, which is not indexed, and may result in slower search response. Search filters using ObjectCategory were documented as replacements for the default filters to resolve the performance problem with the default filters. These new filters now replace the original filters as the default filters.Problem conclusion This is a performance improvement for user suing Microsoft Active Directory server as the ocnfigured LDAP server. This is change the default search filters. The original filters can still be used by editing the filters and creating a "Custom" LDAP configuration. If security is already enabled prior to applying this fix, the existing search filters will not be changed until the LDAP settings are re-applied by choosing Microsoft Active Directory server and saving LDAP configuration. Important not: If the original filters are still wanted, "Custom" must be selected as the LDAP server before applying any changes for the LDAP configuration. If security is enabled after applying this fix, the new search filters will be used automatically. New filters: user: (&(sAMAccountName=%v)(objectcategory=user)) group: (&(cn=%v)(objectcategory=group)) Original Filters: user: (&(sAMAccountName=%v)(objectclass=user)) group: (&(cn=%v)(objectclass=group))Temporary fix tested at local labComments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 10W
Software edition:
Reference #: PQ94008
IBM Group: Software Group
Modified date: Nov 16, 2004
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.