On 12/04/2018 01:04 PM, ka12312 wrote:
>
> I met with the Siteminder Admin today. He will investigate the
> smPasswordData modifications since it is a Siteminder attribute and
> causes the slowness.


Just to be sure we all understand, the modification doesn't cause any
slowness, as mentioned before; it happens in something less than one (1)
second, probably less than 1/100 of a second. If this is used in a
search, and is not indexed, then that matters to the time taken, but the
actual modification clearly does not.

> One more question if I may. I see most entries in dstrace as this and I
> assume it means a successful search and authentication:
>
>
> Code:
> --------------------
> 13:12:13 3A9E3700 LDAP: (172.16.35.179:49798)(0x31ac8:0x63) DoSearch on connection 0x805df880
> 13:12:13 3A9E3700 LDAP: (172.16.35.179:49798)(0x31ac8:0x63) Search request:
> base: "ou=xx,o=xxxx"
> scope:2 dereference:0 sizelimit:0 timelimit:30 attrsonly:0
> filter: "(&(cn=a4408)(objectclass=inetOrgPerson))"
> attribute: "smPasswordData"
> attribute: "cn"
> attribute: "smDisabledFlag"
> attribute: "objectclass"
> 13:12:13 3A9E3700 LDAP: (172.16.35.179:49798)(0x31ac8:0x63) Sending search result entry "cn=A4408,ou=xx,ou=xx,o=xxxx" to connection 0x805df880
> 13:12:13 3A9E3700 LDAP: (172.16.35.179:49798)(0x31ac8:0x63) Sending operation result 0:"":"" to connection 0x805df880
>
> --------------------
>
> Then I will see this, only on the cns which have the smPasswordData
> modification. Why is that the only Bind I see in a zillion dstrace
> entries. It is for the same cn=A4408 which had an earlier
> smPasswordData modification Thank you!!
>
> Code:
> --------------------
> 13:12:43 50830700 LDAP: (172.16.35.179:49805)(0x128c:0x60) DoBind on connection 0x7f064e00
> 13:12:43 50830700 LDAP: (172.16.35.179:49805)(0x128c:0x60) Bind name:cn=A4408,ou=xx,ou=xx,o=xxxx, version:3, authentication:simple
>
> --------------------


Good question; why does SiteMinder do that? Hopefully that too can be
answered by them since this has nothing to do with general LDAP stuff. A
bind is a single operation, those last two lines, and may only have a few
(as in single-digits few) lines before or after to setup the connection,
even with TLS/SSL involved, so everything else is not part of the bind.
All of the searches, modifications, etc. are not part of the bind. They
may be related to the bind inasmuch as SiteMinder does other stuff before
or after the bind, but that's not the bind, that is other stuff SiteMinder
has decided to do and is now doing. Those things may impact overall login
times, of course, but eDirectory cannot tell you the why as much as the what.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.