Slow AD Login for 7.9 Gateway?

Thought I should make a new thread as this is for a different gateway version with different options.

I am working with a 7.9.X gateway. The AD login times have become very slow, occasionally causing a timeout. There are no advanced properties set. I was hoping I could do the solution in this thread - Active Directory Login Very Slow - #5 by Louis_Whitburn however I found out when looking for Referral it does not exist as a field under the advanced options for a AD User source.

  1. Is there some way I can set Referral to Ignore in 7.9?
  2. The AD directory is setup like this -
    image
    All relevant logins are from 5 groups underneath the Production Folder. Are there any other settings I could try to help speed things up a bit? I see that there is User Search Base, User Search Filter, and User List Base, which are all currently the default. I seethe User Search Base does say you can set the Base Folder, but I don’t enough about Active Directories to set it - what Does the DC= or OU= refer to here? Which would I use for this use case?

Any help appreciated. Active Directories are not in my wheel house yet.

DC stands for Domain Controller, and OU stands for Organizational Unit. The other important one to know is CN which stands for Common Name. LDAP has a very cryptic syntax, in my opinion (up there with regex).

So for instance you might have a search Base that looks something like:

(OU=Production,DC=YourCompanyDomain,DC=com)

Assuming that Production is truly an OU, try putting that in your User Search Base and see if it helps. If you leave it at the default it searches the entire directory (I believe).

Our AD User Source was pretty slow, until we created a Security Groups organizational unit and set the User Search Base.

1 Like

Ok so OU, the orgizational unit, refers to the Folder, in my case, Production. DC=MyCompanyDomain - presuming that is the top level folder that I blacked out? And DC=com remains that way. Basically the two DC's combined make up MyCompanyDomain.com is that the point?

Edit: From an answer in another thread and what I am seeing online I think it may need to be OU=Production, OU=Users.

Additional Relevant Information:

The active directory domain has 3 parts, its like abc.companyname.com

So I tried
(OU=Production, DC=abc, DC=companyname, DC=com) but then the usernames (populated from the active directory) all disappared and only the internal logins remained. I also tried it with
(OU=Production, OU=Users, DC=abc, DC=companyname, DC=com) but still no dice.

Any ideas what is going wrong? The dropdown is being populated with system.user.getUsers()

The guy in the other thread suggested
ou=production,ou=users,dc=mydcname,dc=com

Try lowercase.
The gateway configuration field does not require (parentheses).

1 Like

I was working with someone who had access to the active directory so they were able to look up the distinguished name which helped a ton.

I set the Use Base List to the lowest level folder that contained all the other required folders.

Then for the filter list, I was able to do it based on 5 security groups that needed login access. Login times went back to being basically instantaneous.

@lrose @Transistor thanks for the help - this was a live problem I was able to resolve today and look like I (mostly) knew what was I doing

Just for my own notes, is the setup case-sensitive?

2 Likes

The job description of every engineer. :rofl: Glad you got it sorted.

1 Like

It seemed like for the DC it was case sensitive but for the OU it was not, however I had other issues so I don’t know if my lowercasing actually fixed anything.

Eventually I had the person copying and pasting the Distinguished Name to me and using that in the LDAP syntax exactly how it that had which had upper case OU and DC values and it seemed to work fine so I don’t think so.

1 Like