Symantec Access Management

  • Private Community

  • 1.  CA Directory - understanding controls="manage-dsa-it"

    Posted Dec 11, 2015 12:51 AM

    Hi there,

     

    I would like to understand controls="manage-dsa-it" in the search request. What does it mean and how does it impact the performance?

     

    In my environment, exact two search results is taking time and would like to understand more on this.

     

    [69] 20151210.163857.235 57332.876 SEARCH dn="dc=ca,dc=com" scope=base-object eis=objectClass (ssl) source="client" controls="manage-dsa-it"

    [66] 20151210.163857.236 57332.876 RESULT success 1 entries 1 msecs

     

    [64] 20151210.163904.178 57332.878 SEARCH dn="dc=ca,dc=com" scope=base-object eis=objectClass (ssl) source="client" controls="manage-dsa-it"

    [66] 20151210.163904.379 57332.878 RESULT success 1 entries 201 msecs

     

    I was not able to find documentation on controls="manage-dsa-it".

    Any pointers?

     

    Regards

    Ravi



  • 2.  Re: CA Directory - understanding controls="manage-dsa-it"
    Best Answer

    Posted Dec 13, 2015 06:32 PM

    Hi Ravi,

     

    The ManageDsaIT LDAP control (RFC-2396) allows a special referral object to be returned on searches rather than returning an actual referral in a search response. A referral tells a LDAP client the details of other servers where data may be stored. The control is required so that these special referral objects can be retrieved and modified. This facility isn't required for CA Directory as it conforms to the X.500 standard, and therefore supports distributed search operations without putting the onus on the LDAP client to collate the results.

     

    Some Java LDAP SDKs include the ManageDsaIT by default (you may see this when using JXplorer). CA Directory doesn't support the ManageDsaIT control and even though it is carried with a request does not have any impact.

     

    The delay in your search will have another cause. If the query-log snippet above is from a router, a 200 msec delay may be caused by a known TCP performance issue (Delayed ACK & Nagle's Algorithm). This can be ruled out be setting "set tcp-nodelay = true;" on your DSAs. If that isn't the issue, then you may need to open a ticket to assist you in analyzing the root cause given the large number of external factors involved that can impact DSA performance.

     

    Thanks,

     

    Justin



  • 3.  Re: CA Directory - understanding controls="manage-dsa-it"

    Posted Dec 13, 2015 11:07 PM

    Thank you Justin for the detailed response. Let me check more logs and if needed, will open a support case.