Please consider the following limitations and recommendations when connecting to an LDAP user directory.
Optimal Number of Users and Groups in your LDAP Directory
The connection to your LDAP directory provides powerful and flexible support for connecting to, configuring and managing LDAP directory servers. To achieve optimal performance, a background synchronisation task loads the required users and groups from the LDAP server into the application's database, and periodically fetches updates from the LDAP server to keep the data in step. The amount of time needed to copy the users and groups rises with the number of users, groups, and group memberships. For that reason, we recommended a maximum number of users and groups as described below.
This recommendation affects connections to LDAP directories:
- Microsoft Active Directory
- All other LDAP directory servers
The following LDAP configurations are not affected:
- Internal directories with LDAP authentication
- LDAP directories configured for 'Authentication Only, Copy User On First Login'
Please choose one of the following solutions, depending on the number of users, groups and memberships in your LDAP directory.
Your environment |
Recommendation |
Up to 10 000 (ten thousand) users, 1000 (one thousand) groups, and 20 (twenty) groups per user |
Choose the 'LDAP' or 'Microsoft Active Directory' directory type. You can make use of the full synchronisation option. Your application's database will contain all the users and groups that are in your LDAP server. |
More than the above |
Use LDAP filters to reduce the number of users and groups visible to the synchronisation task. |
Our Test Results
We performed internal testing of synchronisation with an AD server on our local network consisting of 10 000 users, 1000 groups and 200 000 memberships.
We found that the initial synchronisation took about 5 minutes. Subsequent synchronisations with 100 modifications on the AD server took a couple of seconds to complete.
Please keep in mind that a number of factors come into play when trying to tune the performance of the synchronisation process, including:
- Size of userbase. Use LDAP filters to keep this to the minimum that suits your requirements.
- Type of LDAP server. We currently support change detection in AD, so subsequent synchronisations are much faster for AD than for other LDAP servers.
- Network topology. The further away your LDAP server is from your application server, the more latent LDAP queries will be.
- Database performance. As the synchronisation process caches data in the database, the performance of your database will affect the performance of the synchronisation.
- JVM heap size. If your heap size is too small for your userbase, you may experience heavy garbage collection during the synchronisation process which could in turn slow down the synchronisation.
Redundant LDAP is Not Supported
The LDAP connections do not support the configuration of two or more LDAP servers for redundancy (automated failover if one of the servers goes down).
Specific Notes for Connecting to Active Directory
When the application synchronises with Active Directory (AD), the synchronisation task requests only the changes from the LDAP server rather than the entire user base. This optimises the synchronisation process and gives much faster performance on the second and subsequent requests.
On the other hand, this synchronisation method results in a few limitations:
- Externally moving objects out of scope or renaming objects causes problems in AD. If you move objects out of scope in AD, this will result in an inconsistent cache. We recommend that you do not use the external LDAP directory interface to move objects out of the scope of the sub-tree, as defined on the application's directory configuration screen. If you do need to make structural changes to your LDAP directory, manually synchronise the directory cache after you have made the changes to ensure cache consistency.
- Synchronising between AD servers is not supported. Microsoft Active Directory does not replicate the uSNChanged attribute across instances. For that reason, we do not support connecting to different AD servers for synchronisation. (You can of course define multiple different directories, each pointing to its own respective AD server.)
- You must restart the application after restoring AD from backup. On restoring from backup of an AD server, the uSNChanged timestamps are reverted to the backup time. To avoid the resulting confusion, you will need to flush the directory cache after a Active Directory restore operation.
- Obtaining AD object deletions requires administrator access. Active Directory stores deleted objects in a special container called cn=Deleted Objects. By default, to access this container you need to connect as an administrator and so, for the synchronisation task to be aware of deletions, you must use administrator credentials. Alternatively, it is possible to change the permissions on the cn=Deleted Objects container. If you wish to do so, please see this Microsoft KB Article.
- The User DN used to connect to AD must be able to see the uSNChanged attribute. The synchronisation task relies on the uSNChanged attribute to detect changes, and so must be in the appropriate AD security groups to see this attribute for all LDAP objects in the subtree.