We are wondering what the implications might be when setting the "maximum nesting" value, and what the best practices might be to keep it performing optimally.

This article will clarify the implications of the "maximum nesting" setting in the API Gateway, and will give an overview of best practices for scaling it for the environment.

Background

LDAP group nesting allows for additional groups to be placed within a group and a user can be apart of the lower level group. An example of this is a group called Administrators which has a group in it called NA Admins and within the NA Admins group has a user called jsmith.

This nesting can be quite a few levels deep and can encompass users that traverse domains, organizational unit (OU) structure, and forests.

By default the Maximum Nesting setting is set to 0 which will mean that Gateway will follow all sub groups and all of their users until the Gateway has a complete list. Naturally, LDAP group nesting can have an affect on the performance of LDAP queries as the more levels to search through, the more time it takes, and the longer the request to the API Gateway will take to complete. Under very heavy traffic loads, this may work against the performance for your users.

<Please see attached file for image>

Optional settings:
Value: 1 - Gateway will only check the group and no sub-level groups.
Value: 2 - Gateway will check the group and one sub-level group.
Value: 3 - Gateway will check the group and two sub-level groups.

This article relates to all API Gateway versions which have the "maximum nesting" setting available in an LDAP Identity Provider.

Implications

For large LDAP implementations the more levels within the group that the Gateway has to traverse and the number of users in those groups can adversely affect authentication times for the Policy Manager and message traffic. 

Other issues that may occur is that sub-groups or users of the sub-groups may be apart of other domains or forests for which the query user used by the LDAP Identity Provider may not have access to or the referral to the other environments may fail due to invalid or missing DNS entries.

Recommendations

• Limit the number of sub-groups being traversed by setting the Maximum nesting value to either 1 or 2, and no more than the maximum number of nested groups existing on the LDAP server for which look-ups from the API Gateway will ever need to follow.
• Raise the Cache maximum age value to 5-10 minutes to limit the number of times that the Gateway will poll the server to get the group members.
• Cluster Wide Properties that will need to be changed to handle larger implementations:
  • ldap.group.searchMaxResults is the maximum number of results to return in an LDAP group membership search. By default, this setting uses the value from the ldap.searchMaxResults property. Enter a different value if you do not want the two values to be the same. Default: (ldap.searchMaxResults setting)
  • ldap.searchMaxResults is the maximum number of results to return in an LDAP Identity Provider search. Default: 50