LDAP Searches slow or timeout when querying the entire directory
PROBLEM:
When Application is returned an LDAP Referral Response for DC=DomainDNSZones,DC=blah, DC=corp, queries take longer to complete, or in some cases timeout.
CAUSE:
The application partition for DomainDNSZones exists in the tree of the searches baseDN:
-> the search is being performed from the DC=blah,DC=corp baseDN level with a scope of Whole Subtree
-> the partition being referred is DC=DomainDNSZones,DC=blah,DC=corp is in the subtree
RESOLUTION:
Run the search against the Global Catalog (Port 3268) as this will not return referrals
Alternative solutions:
You could instead change the BaseDN of the search if that is a viable option.
You could also just not follow referrals
Example:
Query
ldapsearch -x -LLL -P 3 -h directoryservices.blah.corp -D "kcurran-admin@blah.corp" -W -b "DC=blah,DC=corp" -s sub "(sAMAccountName=kcurran)" cn userprincipalname mail sn manager sAMAccountName
Results
dn: CN=Kevin Curran,OU=Admin,OU=Operations,OU=Corporate,OU=People,DC=blah,DC=corp
cn: Kevin Curran
sAMAccountName: kcurran
mail: kcurran@blah.com
# refldap://DomainDnsZones.blah.corp/DC=DomainDnsZones,DC=blah,DC=corp
Possible Solution run query on Global Catalog Port (3268) which will not return referrals
ldapsearch -x -LLL -P 3 -h directoryservices.blah.corp:3268 -D "kcurran-admin@blah.corp" -W -b "DC=blah,DC=corp" -s sub "(sAMAccountName=kcurran)" cn mail sAMAccountName
Enter LDAP Password:
dn: CN=Kevin Curran,OU=Admin,OU=Operations,OU=Corporate,OU=People,DC=blah,DC=corp
cn: Kevin Curran
sAMAccountName: kcurran
mail: kcurran@blah.com
Additional Information:
Ldap V3 specifically allows for referrals to be returned to the client instead of the server chasing them which occurred in previous versions of LDAP. This apparently was done for performance and from that angle it makes sense. You can have a couple of different types of referrals, continuation referrals meaning that here is some data you can possibly find some more information in these other locations and error referrals meaning the data absolutely is not at this location try elsewhere.