All geek questions in one place

LDAP lookup using DirectoryServices.Protocols slow

We use System.DirectoryServices.DirectorySearcher to search for sAMAccountName. This works great, except that when you request a specific AD, which we suspect is large enough, the search often expires. After doing a bit of research, I found that searching using System.DirectoryServices.Protocols could be faster when polling large AD. I am trying to recreate the fact that we use protocols to find out if this will affect the timeouts. This is what currently exists:

Dim Entry As New DirectoryEntry(anLDAPURL, aDomainUserName, aPassword) Dim obj As Object = Entry.NativeObject 'Force Authentication on Active Directory Server Dim Filter As String = String.Format("(sAMAccountName={0})", aDomainUserName) Dim Search As New DirectorySearcher(Entry, Filter) Search.PropertiesToLoad.Add(SID) Search.PropertiesToLoad.Add(ACCOUNTISLOCKEDOUT) Search.PropertiesToLoad.Add(ACCOUNTISDISABLED) Dim Results As SearchResult = Search.FindOne()

This works fine and very fast (except for the case mentioned above when it expires). And this is what I am trying to change so that I can verify this:

 Dim credentials As New System.Net.NetworkCredential(aDomainUserName, aPassword) Dim directoryIdentifier As New System.DirectoryServices.Protocols.LdapDirectoryIdentifier("ldap-ad.example.org") Using connection As New System.DirectoryServices.Protocols.LdapConnection(directoryIdentifier, credentials, Protocols.AuthType.Basic) Dim attributes() As String = {SID, ACCOUNTISLOCKEDOUT, ACCOUNTISDISABLED} Dim search As New System.DirectoryServices.Protocols.SearchRequest( "dc=example,dc=org", String.Format("(sAMAccountName={0})", aDomainUserName), Protocols.SearchScope.Subtree, attributes) Dim response As System.DirectoryServices.Protocols.SearchResponse = DirectCast(connection.SendRequest(search), System.DirectoryServices.Protocols.SearchResponse) End Using

The above code works because it returns a result, but much slower than the original. I suspect that the way I am trying to execute the request is inefficient, but I'm not too sure how I can configure it to be faster.

+4
source share
2 answers

I ran into the same problem that ended up being caused by “referral harassment” in the returned results in the System.DirectoryServices.Protocols.LdapConnection.SendRequest method. This happened because of the "fake" domain name "corp.org", which did not have DNS records (therefore SendRequest spent a lot of time searching for DNS based on the results). To disable the referral chase:

 var conn = new LdapConnection(...); conn.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
+1
source

Based on your LDAP path in the SearchRequest constructor ( "dc=example,dc=org" ), it looks like you are specifying a server in the LdapDirectoryIdentifier ( ldap-ad.example.org ) constructor. Have you tried just specifying a domain instead of a server ( example.org )?

I really don’t see how these two methods should differ when searching for an indexed property that will return only 0 or 1 result.

0
source

Source: https://habr.com/ru/post/1484125/

More articles:


All Articles