CA Privileged Identity Manager Tech Tip by Renato Pioker, Support Engineer for July 21st, 2015.
Sometimes you may experience poor performance when logging in or searching objects in ENTM Portal. One of the most common causes is when you define Microsoft Active Directory as the User Store using the default LDAP port (SSL or not).
This is caused by some characteristics from AD itself – the way the Domain Controllers do the search and how they store and distribute the objects and the cache may slow down the searches while a user tries to authenticate or search objects via LDAP.
To avoid this you can just reconfigure the User Store connection to point to the Global Catalog port. To achieve this, follow the steps below:
- Log in to Management Console (http://<ENTM_server>:<ENTM_port>/idmmanage - use https if your environment is configured to use SSL);
- Navigate to Directories;
- Click on “ac-dir” and click the Export button;
- Save the resulting XML to a temporary location;
- Edit the XML you saved using a text file editor, such as Notepad or Vim;
- Change the field “Connection port” like the following example: [From: <Connection port="389" host="servername.mydomain.com"/>] [To: <Connection port="3268" host="mydomain.com"/>]. Please note that, if you have more than one Global Catalog server in your AD topology, you will need to configure the domain name + the Global Catalog IP address into the “hosts” file;
- Save the file;
- Repeat the steps from 1 to 3 but, instead of clicking the Export button, you will click the Update button;
- Click the Browse button;
- Navigate to the directory where you saved the XML file in step 4 above;
- Click once on the file to select it;
- Click the Open button;
- Click the Finish button;
- Once the import process completes, click the Continue button;
- Click the Restart Environment button.
Now your ENTM is configured to access the Global Catalog service. The Global Catalog stores all the information that resides in Active Directory, no matter the partitions and topology you have, in a cache. That’s why the searches are faster than when using the common LDAP connection – the Global Catalog can search the entire forest at once.
UPDATE: If you receive an error while uploading the XML back to IDMMANAGE, please do the following:
Edit the XML and locate the following line:
<Container objectclass="top,organizationalUnit" attribute="ou"/>
Change it to:
<Container objectclass="top,organizationalUnit" attribute="ou" value="Users"/>
Upload the file again.
Message was edited by: Renato Pioker