Troubleshooting guide

Chapter 8 Troubleshooting LDAP Servers and the AMC Known Limitations

Advanced Technical Reference Guide 4.1 • June 2000 92

Known Limitations

Performance issue when the large groups of users (more than around 1000 - 1500 users) are defined on the

LDAP server (Solution ID: 10043.0.5520148.2585567) in the Check Point Technical Services site.

This limitation is related to two issues:

The VPN-1/FireWal~1 looks up for the groups the user is member in, any time the user supposed to be fetched.

The query used to bring the whole group object from the LDAP.

From VPN-1 4.1 SP-2 and VPN-1 4.0 SP-6 the behavior was changed and only the group DN is retrieved from

the LDAP server (this is a big difference when the group is big).

While the old implementation used to query the groups using the AU branches as search base, the new queries

use the DNs of the external groups defined for each AU. For example, supposed that we have the following:

a. A single AU with "o=cp,c=il" as the branch

b. Two external groups based on the following LDAP groups:

1. cn=rndg1, ou=rnd,o=cp,c=il

2. cn=supportg1, ou=support, o=cp,c=il

The old implementation used to query the branch "o=cp,c=il". The new implementation query the two

branches (in LDAP any object is a valid search branch) "cn=rndg1, ou=rnd,o=cp,c=il" and

"cn=supportg1, ou=support, o=cp,c=il".

From this fix the queries do not retrieve the group content (which is very large with large groups).

This should improve the performance for the LDAP search.

The indexes the LDAP server is configured to work with (i.e. the attributes that the server make the hashing

with so it can fast answer queries that include these attributes as the filter). In order to improve server

performance the "member" attribute better be indexed at the server.