How To: Improve Login Performance When Using EEM With 10.3

Document created by paimon.soror Champion on Aug 31, 2016
Version 1Show Document
  • View in full screen mode

Hi All;

 

In our environment, we use EEM and global groups in LDAP to authenticate users who have access to APM.  We have a few global groups for our environments, G_APM_ADMINISTRATORS, and G_APM_PRODUCTION_USER to authenticate users, and also set up their access rights.  These rights are set up in EEM and can easily be done by following the APM installation guide.  This How To wont get too far into the setup, however, it will provide a small tweak to improve performance.

 

The Issue

 

With APM 10.0, we didn't have very many issues with logging in via EEM/LDAP.  Users were able to log in rather quickly, and there was very little difference between using a local user, and an EEM user.  We recently upgraded a few of our environments to 10.3 and almost immediately noticed an impact to logins.  Our end users were complaining of logins taking between 20 to 30 seconds.  After setting up some debugging, I started to notice something very interesting that happened in 10.3 vs 10.0.

 

8/31/16 01:33:29.704 PM EDT [DEBUG] [btpool0-0] [Manager.EemRealm] EEM found permissions "[full]" for resource "Server Resource" of type "Server" for user "c53259"
8/31/16 01:33:29.706 PM EDT [DEBUG] [btpool0-0] [Manager.EemRealm] EEM found permissions "[full]" for resource "SuperDomain" of type "Domain" for user "c53259"
8/31/16 01:33:36.733 PM EDT [DEBUG] [btpool0-0] [Manager.EemRealm] EEM failed to find application-specific user "c53259": [Exception retrieving c53259]
com.ca.eiam.SafeException: EE_BADOBJECT Bad Object
8/31/16 01:33:36.733 PM EDT [DEBUG] [btpool0-0] [Manager.EemRealm] EEM found groups "[ << ALL_OF_MY_LDAP_GROUPS_HERE >> ]" for user "c53259"
8/31/16 01:33:38.904 PM EDT [DEBUG] [btpool0-0] [Manager.EemRealm] EEM found permissions "[full]" for resource "Server Resource" of type "Server" for user "c53259"
8/31/16 01:33:38.904 PM EDT [DEBUG] [btpool0-0] [Manager.EemRealm] EEM found permissions "[full]" for resource "SuperDomain" of type "Domain" for user "c53259"

The big difference was the 3rd line down.  It seems that APM is doing some extra authentication things that it didn't do in the past.  It actually listed out all of my global groups in the LDAP tree.  So I then took to EEM, to see what else was going on...

 

TRACE 2016-08-31 13:06:35,119 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::doSearch: async search initiated [name: datastorebasedn: cn=APM_Acceptance, cn=Store, cn=iTechPoz, filter: (&(pozClass=O_D)(cn=EiamAdmin)), ldapconn: 000000000CB19E40]
TRACE 2016-08-31 13:06:35,119 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::readResult: reading search result [basedn: cn=APM_Acceptance, cn=Store, cn=iTechPoz, filter: (&(pozClass=O_D)(cn=EiamAdmin)), msgid: 25188, ldapconn: 000000000CB19E40]
TRACE 2016-08-31 13:06:35,120 [0x000007fc] [eiam.server.ldap.ldaputil] LDAPUtils::parseLdapControls: entering [searchRequest: 000000000D98FC30, serverCtrls: 000000000CF981D0]
TRACE 2016-08-31 13:06:35,120 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::parseLdapControls: leaving [1]
DEBUG 2016-08-31 13:06:35,120 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::dropResults: droping search result [basedn: cn=APM_Acceptance, cn=Store, cn=iTechPoz, filter: (&(pozClass=O_D)(cn=EiamAdmin)), msgid: -1, ldapconn: 000000000CB19E40]
TRACE 2016-08-31 13:06:35,120 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::createLdapControl: leaving [000000000CF984F0]
DEBUG 2016-08-31 13:06:35,120 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::doSearch: performing ldap search [name: Internal, basedn: DC=secret,DC=com, filter: (&(objectClass=group)(|(sAMAccountName=G_SECRET_OTHER_RD)(cn=G_SECRET_OTHER_RD))), ldapconn: 000000000C27D8B0]
TRACE 2016-08-31 13:06:35,121 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::doSearch: async search initiated [name: Internalbasedn: DC=secret,DC=com, filter: (&(objectClass=group)(|(sAMAccountName=G_SECRET_OTHER_RD)(cn=G_SECRET_OTHER_RD))), ldapconn: 000000000C27D8B0]
TRACE 2016-08-31 13:06:35,121 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::readResult: reading search result [basedn: DC=secret,DC=com, filter: (&(objectClass=group)(|(sAMAccountName=G_SECRET_OTHER_RD)(cn=G_SECRET_OTHER_RD))), msgid: 118427, ldapconn: 000000000C27D8B0]
TRACE 2016-08-31 13:06:35,122 [0x000007fc] [eiam.server.ldap.ldaputil] LdapUtil::createLdapControl: leaving [000000000CF984F0]

I notice that when I tried to log in, APM was sending over an authentication check against every single one of the groups that I was a part of.  This caused a huge slowdown in performance.

 

What Helped...

What I did here to help fix the issue was limit the size of the LDAP tree searching.  Granted this was easy for us because right now APM is the only tool we are using that does LDAP authentication through EEM.  So, through the EEM Configuration page, I selected "User Store" and then the "LDAP Attribute Mapping" page:

 

 

Here I added additional parameters to the 'Group Search Filter'.  Here I was able to add a wildcard for any 'G_APM' group to authenticate against.  For other orgs, you could try setting up the DN a bit more to limit the scope of the ldap search.  I saved this Mapping to 'SystemsMgmt_LDAP'.

 

Next, go to the User Store, and select the directory you have configured.

 

 

 

Update the Attribute Map:

 

 

Save, and now try to log in.

 

You will notice some different text being printed :

 

8/31/16 01:54:23.985 PM EDT [DEBUG] [btpool0-4] [Manager.EemRealm] EEM found permissions "[full]" for resource
"Server Resource" of type "Server" for user "c53259"
8/31/16 01:54:23.985 PM EDT [DEBUG] [btpool0-4] [Manager.EemRealm] EEM found permissions "[full]" for resource "SuperDomain" of type "Domain" for user "c53259"
8/31/16 01:54:24.042 PM EDT [DEBUG] [btpool0-4] [Manager.EemRealm] EEM failed to find application-specific user "c53259": [Exception retrieving c53259]
com.ca.eiam.SafeException: EE_BADOBJECT Bad Object
8/31/16 01:54:24.042 PM EDT [DEBUG] [btpool0-4] [Manager.EemRealm] EEM found groups "[G_APM_ADMINISTRATOR]" for user "c53259"

Now you can see that my 'EEM found groups' piece only shows the groups that I have that begins with G_APM.  

 

My logins are now well within a few seconds.

 

Hopefully this helps those of you with massive LDAP trees, and hopefully it provies some information on how to limit the searching that EEM is doing with the newer versions of APM.

3 people found this helpful

Attachments

    Outcomes