[midPoint] Active Directory performance issue - excessive Group Search operations for each user

Alcides Carlos de Moraes Neto alcides.neto at gmail.com
Thu Feb 28 18:52:54 CET 2019 

We have figured out the problem.

Many of these groups are new, outside midPoint control. Since we do not
make routine imports from AD to midPoint, they have no Shadow.
After importing them, the excessive searches stopped, even though they have
no purpose in midPoint.
But midPoint does not create the shadow when recomputing the user, it
retrieves the group for nothing, apparently.

Is there a way to prevent these groups from interfering with midPoint
functionalities without having to import them?

Thanks

Em qua, 27 de fev de 2019 às 19:47, Alcides Carlos de Moraes Neto <
alcides.neto at gmail.com> escreveu:

> Hello list,
>
> We're having serious performance issues when reconciling and recomputing
> users.
> One of the problems is excessive calls to ldap Search Group operation for
> each user.
> For example, a single user with some 50 groups in AD results in 270 calls
> to search group ldap operation.
> We have tried fetchStrategy minimal in the association definition for the
> user account, but it doesn't make a difference. By logging the AdLdap
> connector, i can see the same groups being searched multiple times by
> different threads.
> How can we optimize this? I noticed that enabling the
> AttributesToGetSearchResultHandler, the fetchStrategy is respected, but all
> sorts of weird behavior start to happen, like groups not being removed when
> an authoritative assignment is removed.
>
> Shouldn't midpoint just use the shortcutAssociationAttribute to detect
> changes needed to entitlement membership?
>
> Any insight will appreciated, thanks.
>
> Here's our (redacted) association definition.
>
> <associatio>
>             <c:ref>ri:group</c:ref>
>             <displayName>AD Group Membership</displayName>
>             <tolerant>true</tolerant>
>
> <intolerantValuePattern>.*AutomaticGroups.*</intolerantValuePattern>
>             <exclusiveStrong>false</exclusiveStrong>
>             <fetchStrategy>minimal</fetchStrategy>
>             <kind>entitlement</kind>
>             <intent>intent1</intent>
>             <intent>intent2</intent>
>             <intent>intent3</intent>
>             <direction>objectToSubject</direction>
>             <associationAttribute>ri:member</associationAttribute>
>             <valueAttribute>ri:dn</valueAttribute>
>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>             <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190228/d1b09e7b/attachment.htm>

More information about the midPoint mailing list