UNAB was registered to the top-level domain and the output of `uxconsole -status -detail` shows it querying a large number of domains, including unwanted domains. This is causing performance issues with UNAB including long amount of time for UNAB to start.
# uxconsole -status -detail
CA ControlMinder UNAB uxconsole v188.8.131.522 - console utility
Copyright (c) 2013 CA. All rights reserved.
Client's site - SiteName
Registration domain - domain.com
DCs - domaindc1, domaindc2, domaindc3
User search base - DC=domain,DC=com
Group search base - DC=domain,DC=com
Trusted domain - unab.domain.com
DCs - unabdc1, unabdc2, unabdc3
User search base - DC=unab,DC=domain,DC=com
Group search base - DC=unab,DC=domain,DC=com
Trusted domain - pim.domain.com
DCs - pimdc1
User search base - DC=pim,DC=domain,DC=com
Group search base - DC=pim,DC=domain,DC=com
UNAB mode - full integration
UNAB status - activated
Agent status - not running
FIPS only mode - no
SELinux status - enforcing
SELinux UNAB policy - uxauth (version: 2.2)
Kerberos configuration - internal
Time sync - disabled
Nested groups ACL - enable login by nested groups
Enterprise policy - [email protected]#02 (updated: Thu Sep 5 11:03:45 2019)
Local policy - disabled
Default login access - deny
Cached AD Unix users - 3 (updated: Fri Dec 13 22:36:45 2019)
Cached AD Unix groups - 2 (updated: Fri Dec 13 22:36:45 2019)
Cached Windows groups - 28 (updated: Fri Dec 13 21:55:01 2019)
Migration - not migrated
CA PAM server host - ssl://entmhost.domain.com:61616
UNAB Watchdog - disabled
CA PAM Server Control - running
Include AD users and groups in CA PAM Server Control ladb : yes
Display AD names in CA PAM Server Control Audit : no
Support AD non-Unix groups in CA PAM Server Control : yes
PAM authentication in CA PAM Server Control utilities : yes
CA PAM Server Control Watchdog monitors UNAB agent : enabled
OWT domain user password management : disabled
Unix Authentication Broker 12.8 and above
The following two tokens in uzauth.ini control what trusted domains UNAB will query within the registered domain. To have UNAB only query the registered domain, set ignore_domain_list to all. If UNAB should query specific domains, add them to lookup_domain_list in a comma separated list.
; Specifies the Active Directory domains supposed to have bidirectional
; with registration domain.
; Options are: none - UNAB will automatically query trusted domains,
; or a comma separated list of trusted domains.
; Default value: none
lookup_domain_list = none
; Specifies the Active Directory domains that UNAB ignores (not counting the
; registration domain) when it queries users and groups. This token applies
; to all types of domains, including domains with one-way trust relationships.
; Options are: none - query current and all trusted domains, all - do not query
; trusted domains, or a comma separated list of domains to ignore.
; Default value: none
ignore_domain_list = none