- Jamf Nation Community
- Products
- Jamf Pro
- LDAP User lookups odd behavior?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
LDAP User lookups odd behavior?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2013 06:26 AM
Hello,
I have LDAP configured for lookups in our ADS domain. Using the 'test' feature 'User Group Lookup' returns results in less than one second. 'User Group Membership Lookup' returns results in around one second. But doing a 'User Lookup' returns results in approximately 61 seconds. If I edit the connection and change the 'connection times out in' value, my 'User Lookup' result will always return whatever my timeout is + ~ 1 second. So if I lower it to 30, then my User Lookup result will return in around 31 seconds.
I'm trying to figure out what is happening here. Group lookups, and group membership lookups appear to work fine. But user lookups appear to have some correlation to the timeout value. If I lower the timeout value too much, then I do not get a 'not found'.
Can anyone suggest how to fix this or maybe what the problem is?
Thanks,
Aaron.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2013 06:35 AM
How many users does your AD have?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2013 08:08 AM
Hi,
If you need the exact count I can get it for you but I know probably upwards to 300,000. We are a large University.
I can script a LDAP query for properties of an ADS account and get the results back ~1. So I know that it is possible regardless of the number of user accounts. Also, I did a demo of Casper in January and we did not have this issue.
I think it is peculiar that I get my result one second after the configured timeout. I can drop the timeout to 3 seconds and I get the results in 4.234 seconds. I just don't want to cut it too close to being an actual timeout where I did not give it enough time. If I go below 3 seconds on the timeout I don't get results consistently.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2013 08:54 AM
We had challenges too. But once we got the setup correct in LDAP, it worked a charm - and our AD environment is global and well, interesting. Two things helped us get it all setup correctly:
1) Knowing the AD admin(s) to give us correct info.
2) Downloading a tool one of the Jamf guys told us about - http://directory.apache.org/studio/
It can be daunting if like me, you're not exactly an AD guru, but it can be very useful, and it's free.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2013 09:33 AM
Hi,
Thank you for the response. The setup for us is straightforward and works. I am just experiencing something odd with the user lookups not returning an response until the JSS configured timeout has expired. Group and group membership lookups do not exhibit this behavior.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2013 10:15 AM
Also, I should mention...When I run through the LDAP setup, and it prompts me for two usernames to lookup, it works and quickly.
