We are wondering what the implications might be when setting the "maximum nesting" value, and what the best practices might be to keep it performing optimally.
This article will clarify the implications of the "maximum nesting" setting in the API Gateway, and will give an overview of best practices for scaling it for the environment.
LDAP group nesting allows for additional groups to be placed within a group and a user can be apart of the lower level group. An example of this is a group called Administrators which has a group in it called NA Admins and within the NA Admins group has a user called jsmith.
This nesting can be quite a few levels deep and can encompass users that traverse domains, organizational unit (OU) structure, and forests.
By default the Maximum Nesting setting is set to 0 which will mean that Gateway will follow all sub groups and all of their users until the Gateway has a complete list. Naturally, LDAP group nesting can have an affect on the performance of LDAP queries as the more levels to search through, the more time it takes, and the longer the request to the API Gateway will take to complete. Under very heavy traffic loads, this may work against the performance for your users.
<Please see attached file for image>
Value: 1 - Gateway will only check the group and no sub-level groups.
Value: 2 - Gateway will check the group and one sub-level group.
Value: 3 - Gateway will check the group and two sub-level groups.
This article relates to all API Gateway versions which have the "maximum nesting" setting available in an LDAP Identity Provider.
For large LDAP implementations the more levels within the group that the Gateway has to traverse and the number of users in those groups can adversely affect authentication times for the Policy Manager and message traffic.
Other issues that may occur is that sub-groups or users of the sub-groups may be apart of other domains or forests for which the query user used by the LDAP Identity Provider may not have access to or the referral to the other environments may fail due to invalid or missing DNS entries.