×

IDMWORKS Blog

Tips & Tricks: CA SiteMinder User Directory Tuning


Tips & Tricks: CA SiteMinder User Directory Tuning

Today I thought I would add a few tips & tricks related to CA SiteMinder Directory Services Tuning, as usual, any questions or comments you might have can be added below.

Adding Additional Directory Connection Pools

A major tuning parameter of the Directory Services is enabling additional directory connection pools. For each Policy Server and smsuserdirectory object defined a ldap connection pool is created.  In addition, for Load Balancing, an additional pool is created for each load-balanced LDAP server object.

To enable the additional pools for the LDAP server object, you can define the same directory server host as a load-balanced server. The result is the connection pool for the same logical host can double or triple the number of connection pool entries for a single directory object.

Measuring Directory Performance

In past deployments it has been shown that doubling the connection pool increases performance.
It is recommended that a monitoring tool be used to evaluate the overal performance gain.

Enabling the SiteMinder profiling logs and specific LDAP component categories can accurately measure the policy servers directory performance.
The following log entry from an Identity Manager policy evaluation shows the time in milliseconds taken to execute a user attribute lookup from a role membership rule.

The log entries below uses a time stamp of hh.mm.ss.ms. The ms or milliseconds portion is only enabled when the above PreciseTime data field is used.

As you can see from the highlighted text in the log entries below, this lookup returned in 8 milliseconds.
 

[04/16/2008][11:25:34.192][IMS6LdapRules.cpp:539][7728][Enter function
CIMSDsLdapProvider::findManagedObjects][CIMSDsLdapProvider::findManagedObjects][][][][][][][][]
[04/16/2008][11:25:34.192][IMS6DsLdapProvider.cpp:6527][7728][Additional filter: (location=Charlotte)
.][CIMSDsLdapProvider::ConstructSearchFilter][][][][][][][][]
[04/16/2008][11:25:34.192][IMS6DsLdapProvider.cpp:6564][7728][Constructed filter:
(&(objectclass=top)(objectclass=person)(objectclass=organizationalperson)(objectclass=inetorgperson)(location
=Charlotte)) .][CIMSDsLdapProvider::ConstructSearchFilter][][][][][][][][]
[04/16/2008][11:25:34.192][IMS6DsLdapProvider.cpp:2893][7728][Search Root:
uid=wcotton,ou=people,ou=Dealer,ou=NeteAuto,dc=ca,dc=com, Search Filter:
(&(objectclass=top)(objectclass=person)(objectclass=organizationalperson)(objectclass=inetorgperson)(location
=Charlotte)), LDAP scope: 0, IMS scope 3][CIMSDsLdapProvider::FindIMSObjects][][][][][][][][]
[04/16/2008][11:25:34.200][SmDsLdapProvider.cpp:2039][7728][Ldap Search callout
succeeds.][CSmDsLdapProvider::Search][(Search) Base:
‘uid=wcotton,ou=people,ou=Dealer,ou=NeteAuto,dc=ca,dc=com’, Filter:
‘(&(objectclass=top)(objectclass=person)(objectclass=organizationalperson)(objectclass=inetorgperson)(locatio
n=Charlotte))’. Status: 1 entries][][][][][][][]
[04/16/2008][11:25:34.200][IMS6DsLdapProvider.cpp:2917][7728][Number of DNs returned
1][CIMSDsLdapProvider::FindIMSObjects][][][][][][][][]
[04/16/2008][11:25:34.200][IMS6LdapRules.cpp:578][7728][Leave function
CIMSDsLdapProvider::findManagedObjects][CIMSDsLdapProvider::findManagedObjects][][][][][][][][0]

 

Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *