PQ54789: POTENTIAL AUTHENTICATION PERFORMANCE ISSUES IF USER BELONGS TO ONE OR MORE GROUPS WITH LARGE MEMBERSHIPS.

APAR status
Closed as program error.

Error description
WebSphere LDAP queries for groups that a given user belongs to.
It requests the entire contents of the LDAP group object when
only the group's Distinguished Name is used.  If the group has a
large number of members, this can cause the LDAP to take an
excessive amount of time to complete the query and transfer the
data to WebSphere.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users of    *
*                 the LTPA authentication mechanism.           *
****************************************************************
* PROBLEM DESCRIPTION: Potential performance issues with       *
*                      authentication if groups that the a     *
*                      given user belongs to have large        *
*                      memberships.                            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
There is a potential for authentication performance issues if
the user being authenticated is a member in one or more groups
that have many members in them.  The problem is the current
LDAP search performed to find the groups a user belongs to
requests all group attribute which include all members to the
group.  Each member of a group is an attribute to that group.
This can cause excessive response times from LDAP.
Problem conclusion
Since the Distinguished Name is all that was required from the
search, the search was changed to only request this attribute.
Temporary fix Comments
APAR information
APAR number PQ54789
Reported component name WEBSPHERE AE SO
Reported component ID 5630A2202
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2001-11-14
Closed date 2001-11-14
Last modified date 2003-04-24

APAR is sysrouted FROM one or more of the following:
PQ53953

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Fix information
Fixed component name WEBSPHERE AE SO
Fixed component ID 5630A2202

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ54789
IBM Group: Software Group
Modified date: Apr 24, 2003