[midPoint] Active Directory performance issue - excessive Group Search operations for each user

Alcides Carlos de Moraes Neto alcides.neto at gmail.com
Wed Feb 27 23:47:01 CET 2019 

Hello list,

We're having serious performance issues when reconciling and recomputing
users.
One of the problems is excessive calls to ldap Search Group operation for
each user.
For example, a single user with some 50 groups in AD results in 270 calls
to search group ldap operation.
We have tried fetchStrategy minimal in the association definition for the
user account, but it doesn't make a difference. By logging the AdLdap
connector, i can see the same groups being searched multiple times by
different threads.
How can we optimize this? I noticed that enabling the
AttributesToGetSearchResultHandler, the fetchStrategy is respected, but all
sorts of weird behavior start to happen, like groups not being removed when
an authoritative assignment is removed.

Shouldn't midpoint just use the shortcutAssociationAttribute to detect
changes needed to entitlement membership?

Any insight will appreciated, thanks.

Here's our (redacted) association definition.

<associatio>
            <c:ref>ri:group</c:ref>
            <displayName>AD Group Membership</displayName>
            <tolerant>true</tolerant>

<intolerantValuePattern>.*AutomaticGroups.*</intolerantValuePattern>
            <exclusiveStrong>false</exclusiveStrong>
            <fetchStrategy>minimal</fetchStrategy>
            <kind>entitlement</kind>
            <intent>intent1</intent>
            <intent>intent2</intent>
            <intent>intent3</intent>
            <direction>objectToSubject</direction>
            <associationAttribute>ri:member</associationAttribute>
            <valueAttribute>ri:dn</valueAttribute>

<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
            <shortcutValueAttribute>ri:dn</shortcutValueAttribute>

<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190227/736a8f5a/attachment.htm>

More information about the midPoint mailing list