Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
rafaelrpm Absent Member.
Absent Member.
621 views

Websphere querying eDirectory for groups

So, we have an environment integrated with Websphere Application Server using groups to authorize users. Works fine, except for the high usage of CPU (8 cores 32GB). Websphere gets the user DN and queries all groups searching members. No biggie, since we have around 300 groups.
But for some groups we have 300k members. There you go, you can imagine the processing workload in expanding the members array for all groups and evaluating if each member matches the user DN - servers goes from 10% usage to 50%-60% only for that process.

Let´s say for now that we cannot change in the client application the query syntax, the base DN or anything like that.
Yes, member attribute is indexed.

Any thoughts on how to improve this scenario?

Thx!
Labels (1)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Websphere querying eDirectory for groups

Just to be clear, is Websphere sending something like the following query
(LDAP filter syntax):


member=cn=group,ou=context,o=goes,dc=here


If so, and if member is indexed (as it should be by default and as you
indicate it is), I would not expect utilization to be that high, though I
am not sure I have tested this with a recent version (9.x) version of
eDirectory.

With that in mind, which version of eDirectory are you using? If it is
9.x, run ndscheck and see if you see any notes about that attribute.

Regardless of the version, have you tuned your DIB cache at all? By
default it is set to 200 MB but you may want to set it a bit higher to
cache more of the DIB. I do not really think this will help with this
particular query's impact on the CPU, but if you have 300k (or more) users
it should probably be done anyway. Seeing your cache hit statistics in
iMonitor may be interesting.

Keep in mind that indexes are per-server, meaning just because you have an
index on one server does not mean you will have it on another. I suspect
you know this, or have checked, or that on eDirectory 8.8.x the index was
auto-created, but it is worth noting as it is common to setup one box,
later add another, and forget about copying over indexes and having weird
performance as a result.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
rafaelrpm Absent Member.
Absent Member.

Re: Websphere querying eDirectory for groups

Hey ab. Sorry the delay. Query sintax is (&(objectClass=groupOfNames)(member=user_DN_here)) and base DN is root. Oh and this query is server-side sorted. I agree that CPU utilization should not be that high, it is very weird.
eDirectory version is 8.8.8. Indexes are Ok in this server where the query is executed.
Also, DIB cache is set to 1GB and hits statistics are around 80% (client is testing some configs in order to increase that, which historically never happened for this base).
Right now I don´t have any numbers for this same scenario for eDir 9.x, will have in the next week hopefully.
0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Websphere querying eDirectory for groups

If you are using Server Side Sort (SSS) then that is probably
significantly impacting the CPU utilization. I would try the same query
sans that LDAP control and see if the results vary much. If you need SSS,
then you need it, but you are going to pay the price for that.

Which attribute is being used to sort the results? Please, please tell me
NOT the member attribute; I would expect something like cn to be the one
used for sorting. If your application is using member for sorting, then
that would almost definitely explain most of your utilization, and is
almost certainly a bug (I cannot think of a single reason to sort returned
entries by that multi-valued attribute).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.