Question:
We'd like to know how the ldap searches are processed when selecting
those option in a User Directory Search Expression Editor :
Search Users
Search Groups
Search Organizations
Search AnyEntry
How are the LDAP requests done ?
Answer:
At first glance, according the documentation, the meaning of each of
these options are :
Search Users
Indicates that the search is limited to matches in user entries.
Search Groups
Indicates that the search is limited to matches in group entries.
Search Organizations
Indicates that the search is limited to matches in organization
entries (organizations and organizational units).
Search Any Entry
Indicates that the search includes all entries in the directory.
https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/policy-and-related-dialogs-reference/users-screen/user-directory-search-expression-editor
Obviously, the behavior will depend the way you configure each of them
as this functionality allows to manually set the filter.
As you request samples, I've configured dummy entry for each and here
are the results :
Test :
If you configure the Users in the Policy as :
| Name | User Class |
|-----------------------+----------------------|
| (businessCategory=ok) | Search Any Entry |
| (description=ok) | Search Users |
| (initials=toto) | Search Groups |
| (manager=ok) | Search Organizations |
and here's what the Policy Server 12.8 will trace :
(businessCategory=ok), filter is '(businessCategory=ok)'
[11/13/2018][11:56:44.755][11:56:44][6586][140283421386496]
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][]
[][][][][][][][][][][][][][][Policy
resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
'(businessCategory=ok)', type: 10, recursive: No][][Start of call
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][]
[11/13/2018][11:56:44.918][11:56:44][6586][140283421386496]
[SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][]
[][][][][][][][][][][][][][][][][(Search)
Base: 'dc=training,dc=com', Filter: '(businessCategory=ok)'. Status:
0 entries.][][Ldap Search callout
succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][]
(description=ok), filter is '(description=ok)'
[11/13/2018][11:56:44.919][11:56:44][6586][140283421386496]
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][]
[][][][][][][][][][][][][Policy
resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
'(description=ok)', type: 3, recursive: No][][Start of call
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][][]
[11/13/2018][11:56:44.946][11:56:44][6586][140283421386496]
[SmDsLdapProvider.cpp:2624][CSmDsLdapProvider::SearchCount]
[][][][][][][][][][][][][][][][][][][(SearchCount)
Base: 'cn=jsmith,dc=training,dc=com', Filter:
'(description=ok)'. Status: 0 entries][][Ldap SearchCount callout
succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][]
(initials=toto), filter is '(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(initials=toto))'
[11/13/2018][11:56:44.947][11:56:44][6586][140283421386496]
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][][]
[][][][][][][][][][][][Policy
resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
'(initials=toto)', type: 8, recursive: No][][Start of call
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][][]
[11/13/2018][11:56:44.948][11:56:44][6586][140283421386496]
[SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][][][][]
[][][][][][][][][][][][][][(Search)
Base: 'dc=training,dc=com', Filter:
'(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(initials=toto))'
. Status: 0 entries.][][Ldap Search callout
succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][]
(manager=ok), filter is '(&(|(objectclass=organization)(objectclass=organizationalUnit))(manager=ok))'
[11/13/2018][11:56:44.949][11:56:44][6586][140283421386496]
[SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][][]
[][][][][][][][][][][][Policy
resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
'(manager=ok)', type: 9, recursive: No][][Start of call
HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][][][]
[11/13/2018][11:56:44.952][11:56:44][6586][140283421386496]
[SmDsLdapConnMgr.cpp:1218][CSmDsLdapConn::SearchExts][][][][][]
[][][][][][][][][][][][][][][][LDAP
search of
(&(|(objectclass=organization)(objectclass=organizationalUnit))(manager=ok))
took 0 seconds and 3332
microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][][][][][][][][]
You should consider the following documentation section concerning the
Policies configuration and performances :
Policy Membership and Authorization Performance
Policy membership is the part of a CA Single Sign-On policy that
specifies which users apply to the policy. Policies are stored in
domains, and as a result, you use filters to apply policy membership
to any or all users stored in the user directories bound to the
domain. The type of filter you define determines how the Policy Server
evaluates policy membership.
The following filters are listed in the order in which they have the smallest affect on performance:
All—"All" has the smallest affect on performance. When CA Single
Sign-On authenticates a user, the Policy Server issues a session
ticket. The session ticket identifies the user directory in which
the user is stored. The Policy Server only has to compare the
session ticket with the directory bound to the policy to determine
that the policy applies to the user.
Distinguished name—A distinguished name (dn) has a greater affect on
performance than "All". The organization or organizational unit,
which contains the dn of the authenticated user, is stored in the
session ticket. The Policy Server has to compare the session ticket
information with the policy membership filter to determine if the
policy applies to the user.
Group membership or search expressions—These types of filters have a
greater affect on performance than distinguished names. Group
membership and search expressions consume additional system
resources and result in a user directory search. The Policy Server
must: Resolve the group membership or search expression Search the
user directory to determine if the policy applies to the user.
Nested groups—Defining policy membership with a nested group has the
greatest affect on performance. The Policy Server must search each
user group and all sub–groups in the directory to determine if the
policy applies to the user.
Important! Directories with deep group hierarchies can have a
significant effect on the time it takes the Policy Server to
evaluate policy membership.
Note: You can enable the User Authorization cache to reduce the number
of requests the Policy Server makes to user directories to resolve
policy membership.
https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-ca-single-sign-on/performance-tuning/application-tier-performance
KB : KB000121698