Grouper Users - Open Discussion List

["Klug, Lawrence" <>]

Hi Tom,

Confirmed that uclaPPID, uclaLogonID, and edupersonprincipalname are indexed 
on the ldap server.  We have about  1.4 million records.

Some  queries are fast (an uncommon name)  - it depends on the search 
criteria - some queries (substrings ) can take up to nine minutes.  Large 
result sets ( search on "smith" ) are also slow.

The drill-down to detail is very fast.

Thanks for the link to vt-ldap config example - I'll give it a try.

Lawrence

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Zeller
Sent: Friday, September 09, 2011 11:37 AM
To: Klug, Lawrence
Cc: 

Subject: Re: [grouper-users] LDAP Subject Search performance

And your ldap server has the appropriate indices (indexes) for uclaPPID, 
uclaLogonID, and edupersonprincipalname ?

And when you mean slow, do you mean any one search is slow or there are lots 
of quick searches which results in overall slowness ?

(I am, coincidentally, looking at caching parameters for subject searches)

On Fri, Sep 9, 2011 at 1:29 PM, Klug, Lawrence 
<>
 wrote:
>  Here is the sanitized LDAP section from our sources.xml:
>
> <source 
> adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSourceA
> dapter">
>    <id>ldap</id>
>    <name>ED Source Adapter</name>
>    <type>person</type>
>    <init-param>
>      <param-name>INITIAL_CONTEXT_FACTORY</param-name>
>      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
>    </init-param>
>    <init-param>
>      <param-name>PROVIDER_URL</param-name>
>      <param-value>hostname-omitted</param-value>
>    </init-param>
>    <init-param>
>      <param-name>SECURITY_AUTHENTICATION</param-name>
>      <param-value>simple</param-value>
>    </init-param>
>    <init-param>
>      <param-name>SECURITY_PRINCIPAL</param-name>
>      <param-value>security-principal-omitted</param-value>
>    </init-param>
>    <init-param>
>      <param-name>SECURITY_CREDENTIALS</param-name>
>      <param-value>password-omitted</param-value>
>    </init-param>
>     <init-param>
>      <param-name>SubjectID_AttributeType</param-name>
>      <param-value>uclaPPID</param-value>
>    </init-param>
>    <init-param>
>      <param-name>Name_AttributeType</param-name>
>      <param-value>cn</param-value>
>    </init-param>
>    <init-param>
>      <param-name>Description_AttributeType</param-name>
>      <param-value>displayName</param-value>
>    </init-param>
>
>    /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, 
> SUBTREE_SCOPE
>    /// For filter use
>
>    <search>
>        <searchType>searchSubject</searchType>
>        <param>
>            <param-name>filter</param-name>
>            <param-value>
>                 (&amp; (uclaPPID=%TERM%)(objectclass=person))
>            </param-value>
>        </param>
>        <param>
>            <param-name>scope</param-name>
>            <param-value>
>                SUBTREE_SCOPE
>            </param-value>
>        </param>
>        <param>
>            <param-name>base</param-name>
>            <param-value>
>               ou=people,dc=edtest,dc=ucla,dc=edu
>            </param-value>
>        </param>
>
>    </search>
>    <search>
>        <searchType>searchSubjectByIdentifier</searchType>
>        <param>
>            <param-name>filter</param-name>
>            <param-value>
>                   
> (&amp;(|(uclaPPID=%TERM%)(uclaLogonID=%TERM%)(edupersonprincipalname=%
> TERM%))(objectClass=person))
>            </param-value>
>        </param>
>        <param>
>            <param-name>scope</param-name>
>            <param-value>
>                SUBTREE_SCOPE
>            </param-value>
>        </param>
>        <param>
>            <param-name>base</param-name>
>            <param-value>
>                ou=people,dc=edtest,dc=ucla,dc=edu
>            </param-value>
>        </param>
>    </search>
>
>    <search>
>       <searchType>search</searchType>
>         <param>
>            <param-name>filter</param-name>
>            <param-value>
>                
> (&amp;(|(cn=*%TERM%*)(uclaLogonID=%TERM%)(uclaPPID=%TERM%))(objectClas
> s=person))
>            </param-value>
>        </param>
>        <param>
>            <param-name>scope</param-name>
>            <param-value>
>                SUBTREE_SCOPE
>            </param-value>
>        </param>
>         <param>
>            <param-name>base</param-name>
>            <param-value>
>                ou=people,dc=edtest,dc=ucla,dc=edu
>            </param-value>
>        </param>
>    </search>
>    <init-param>
>      
> <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
>      
> <param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOr
> CommaSeparated('uid'), 
> "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSep
> arated('cn'), 
> "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSep
> arated('uclaPPID'), "")}</param-value>
>    </init-param>
>    <init-param>
>      <param-name>sortAttribute0</param-name>
>      <param-value>cn</param-value>
>    </init-param>
>    <init-param>
>      <param-name>searchAttribute0</param-name>
>      <param-value>searchAttribute0</param-value>
>    </init-param>
>    <internal-attribute>searchAttribute0</internal-attribute>
>
>    ///Attributes you would like to display when doing a search
>
>    <attribute>cn</attribute>
>    <attribute>sn</attribute>
>    <attribute>displayname</attribute>
>    <attribute>uclalogonid</attribute>
>    <attribute>edupersonprincipalname</attribute>
>    <attribute>uclauniversityid</attribute>
>    <attribute>edupersonaffiliation</attribute>
>
>  </source>
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Tom 
> Zeller
> Sent: Friday, September 09, 2011 11:12 AM
> To: Klug, Lawrence
> Cc: 
> 
> Subject: Re: [grouper-users] LDAP Subject Search performance
>
> The UW vt-ldap based ldap source adapter has connection pooling which may 
> help you, and is included (in subject.jar) in recent grouper releases.
>
> Example configurations for this source adapter are available via
>
>  
> http://anonsvn.internet2.edu/svn/i2mi/tags/GROUPER_2_0_0/subject/conf/
>
> We probably should include ldap.properties.example and 
> ldap.sources.xml.example in the api distribution.
>
> You may wish to post the relevant section of your sources.xml file 
> including your ldap search filters,  for us to take a look at.
>
> On Fri, Sep 9, 2011 at 12:52 PM, Klug, Lawrence 
> <>
>  wrote:
>> Tom,
>>
>> I'm using the original JNDI/LDAP source adapter:
>>
>>  <source
>> adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSource
>> A
>> dapter">
>>
>> Thanks,
>>
>> Lawrence
>>
>> -----Original Message-----
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Tom 
>> Zeller
>> Sent: Friday, September 09, 2011 10:46 AM
>> To: Klug, Lawrence
>> Cc: 
>> 
>> Subject: Re: [grouper-users] LDAP Subject Search performance
>>
>> In sources.xml, are you using the original JNDI/LDAP source adapter
>>
>>  <source
>> adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSource
>> A
>> dapter">
>>
>> or the vt-ldap based UW LDAP source adapter
>>
>>  <source
>> adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAda
>> p
>> ter">
>>
>> ?
>>
>> On Fri, Sep 9, 2011 at 12:21 PM, Klug, Lawrence 
>> <>
>>  wrote:
>>> Some of our LDAP Subject Searches are taking a long time.  Is there 
>>> a way to tune these queries in the Source configuration?
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Lawrence
>>
>