Running a Policy Server, this one shows performance problems.

Slow authentication and authorization when using LDAP User Directory such as Active Directory.

The Policy Server profiler traces show intermittent errors such as:

[SmDsLdapConnMgr.cpp:1201][ERROR][sm-Ldap-02230] Error# '12' during search: 'error: Unavailable critical extension extended error: 000020EF: SvcErr: DSID-031405D3, problem 5010 (UNAVAIL_EXTENSION), data 0
' Search Query = '(&(displayName=mar*)(|(objectclass=inetOrgPerson)(objectclass=organizationalPerson)(objectclass=person)))' for server '10.0.0.1:636'

[SmDsLdapConnMgr.cpp:1710][ERROR][sm-Ldap-01450] Failure executing the server-side sorting LDAP control

[LogMessage:ERROR:[sm-Ldap-02230] Error# '10' during search: 'error: Referral received extended error: 0000202B: RefErr: DSID-0310075F, data 0, 1 access points ref 1: 'PBMDNSPartition.Corp.CVSCaremark.com'' Search Query = '(&(&(|(objectcategory=inetOrgPerson)(objectcategory=organizationalPerson)(objectcategory=person))(employeeID=2081035))(objectclass=*))' for server 'server.example.com:389'][12:02:34][SmDsLdapConnMgr.cpp:1200][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Those errors are typically bound to the LDAP referral processing.

How to fully disable LDAP Referrals on the Policy Server using EnableEnhancedReferrals and EnableReferrals registry settings?

LDAP referrals provide a reference to an alternate location in which an LDAP Request may be processed.

This referral can be among partitions or even to different LDAP servers to ensure the request can be fulfilled.

But there are situations where this can also cause problems.

For instance, latency can be introduced if the referral sends the request to a very remote server.

It can also make narrowing down the issues difficult as logging may not reflect the referral that has occurred.

For LDAP connection performance, the Policy Server will maintain a persistent connection to the configured User Directory, but this same persistent connection may not exist in a directory that is part of a referral.

To disable the referrals on the Policy Server, set two registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider= 

EnableEnhancedReferrals = 1; REG_DWORD       
EnableReferrals = 0; REG_DWORD 

How they work:

EnableEnhancedReferrals controls how the Policy Server handles referrals. 

If it is disabled, 0: all referral processing is handled by the LDAP SDK.
If it is enabled, 1: the Policy Server will handle the referral processing, not the LDAP SDK.

EnableReferrals controls if the Policy Server will process referrals.

If it is disabled, 0: the Policy Server will not process referrals, however, see note 1.
If it is enabled, 1: the Policy Server will process/follow referrals based on the EnableEnhancedReferral setting.

Note 1:

If EnableEnhancedReferrals is disabled, 0, regardless of EnableReferrals also being disabled, 0, the LDAP SDK will still process the LDAP referrals but not follow them. 

Meaning it will still perform host resolution on the referral.

This can cause processing delays if the DNS resolution is slow or fails.

There may be an additional processing as well depending on the exact referral.

EnableEnhancedReferrals to 1 will prevent the LDAP SDK to make operations related to referrals, leaving the Policy Server only to handle the referrals.

In combination with EnableReferrals set to 0, Policy Server won't handle the referrals, and the LDAP SDK neither.

Note 2:

If the Policy Server has to contact Active Directory (1), point the Policy Server to the Global Catalog, which is on port 3268 in order for the Policy Server not to receive commands from Active Directory to follow referrals.

1. Global Catalog and LDAP Searches