Streamlining LDAP Authentication in Harvest
search cancel

Streamlining LDAP Authentication in Harvest


Article ID: 55234


Updated On:


CA Harvest Software Change Manager - OpenMake Meister CA Harvest Software Change Manager


My LDAP authentications are taking 90 seconds each or more. This is causing a huge problem with Harvest's performance. We need to make this as efficient as possible.

The solution below describes how refining ldapbasedn and ldapfilter parameters can improve the efficiency of the LDAP queries.

NOTE: LDAP stands for Lightweight Directory Access Protocol. It is a set of standards by which end-user applications and user authentication servers (such as Microsoft's Active Directory) can communicate and share information. Lightweight Directory Access Protocol provides a good overview of LDAP, including links to sites with more information.


CA Harvest Software Change Manager all versions and platforms


You can significantly impact the efficiency of your LDAP queries by refining your ldapbasedn and ldapfilter parameters. Here's how:

ldapfilter: By creating more complexity in the filter you write, you can 'rule out' records in the directory that don't need to be searched.

  • '(&(condition-A...)(condition-B...))' means that both condition-A and condition-B must be true for a record to make it through the filter.

  • '(|(condition-A...)(condition-B...))' means that either condition-A or condition-B must be true for a record to make it through the filter

  • '(!(condition-A))' means that condition-A must not be true for a record to make it through the filter

ldapbasedn: By specifying multiple basedn's, you can 'rule out' big chunks of your directory and zero in on the sections you need to search. You can specify multiple basedn's by separating each one with a ';' (semicolon) within the ldapbasedn string. An example would look like this:

  • ldapbasedn="ou=users,ou= example region,dc=example company,dc=com;ou=users,ou=example department,dc=example company,dc=com;ou=users,ou=example department 2,dc=example company,dc=com;ou=users,ou=example department 3,dc=example company,dc=com;ou=users,ou=example department 4,dc=example company,dc=com"

To do this properly, you need the help of your LDAP administrators to create filters and ldapbasedns that specifically target what you're looking for. Because each company can structure LDAP differently, a generic solution cannot be designed that would provide the level of detail you need. Your filters and basedn's must be tailored to your unique LDAP database to work most efficiently.

Using the debugging options in the HAUTHTST command line utility can help detect performance problems in the openLDAP layer.