Symantec Access Management

 View Only

Identity Suite User Query Performance Improvement

  • 1.  Identity Suite User Query Performance Improvement

    Posted Sep 19, 2018 08:45 PM



    The default directory.xml under the /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/directoryTemplates may have predefined objectClasses that are not required.


    There is no need/requirement to define ALL possible objectClasses for your user record.   


    In fact, the number of ObjectClasses defined in the directory.xml for your userstore, may have a performance impact.


    Below is the default example:


    As an example without extra objectClasses, within the CA Identity Suite vApp (virtual Appliance) r14.x, this default directory.xml has been updated to only have two (2) objectClasses, e.g. top and the lowest inherited level structural objectClass.    In fact, top is not required, but it is "ignored' during queries (per observation).


    For the Identity Suite vApp r14.x, the objectClass has been reduced to:



    To validate the queries your current Identity Suite/Identity Manager solution uses, for base user queries, e.g. IME View User or Modify User IM Tasks, you may wish to enable two (2) additional CA Directory tokens.


    set query-log = "logs/$s_query.log";
    set query-log-advanced = all;




    You may then monitor the ldap queries sent from the IME tasks to the primary user store.





    As a test of before/after, I exported the vApp userstore directory.xml and updated the objectClasses:




    Next, execute the same IM tasks for View user to capture what the exact ldap query was sent from the IM solution to CA Directory.


    Then capture this query from the dsa query logs, and place them within SoftTerra LDAP Browser ldap query builder, to allow a more human readable version of the filter.



    Below is the current "newer & faster" modified query for CA Identity Suite r14.x.




    Below is the directory.xml default, and what I have seen used at many customer sites, default query:

    - Please check your objectClasses used.    !!!

    - As you can see below, there are duplicate queries in the filter.






    Using either Jxplorer, or Apache Directory Studio, or SoftTerra LDAP Browser, we can independently test the performance between each query.   Even within the CA Directory DSA query logs, we will capture the time elapse to execute each query.





    Export your directory.xml and reduce the objectClass to the minimal required, import the updated directory.xml to gain back a large performance gain, for minimal effort.     


    Note:  This process becomes very important when CA Identity Portal is introduced, with additional filtering, e.g. more than one attribute is searched at one time with LDAP filter OR statements.




    Example of the query string (as captured from CA directory) from CA Identity Portal (with directory.xml defaults) & many user attribute selected as "searchable" in IP configuration (and the IM Screen used by IP):






    Location of SoftTerra LDAP Browser LDAP Filter tool:

    -  This LDAP Filter Builder view was useful for discussions with other team members.