LDAP Server Impact on Secure ADF Applications

Posted on by

If you’ve been involved with enterprise software development for any length of time, you’ve likely experienced the “performance issues in production” – the application that performs well in development and testing, then is sluggish and unresponsive when migrated to a production environment. The first instinct of many software developers is to start digging into code optimization or application architecture without considering the impact that external systems may have on application performance.

In this post, I’d like to demonstrate a potential performance issue with ADF applications that are secured by ADF Security: network traffic generated between the application and a directory server, and the impacts that poor network or query performance to the directory server can have on our ADF applications.

The Demonstration

To set up a demonstration, I’ve created a simple architecture on a virtual machine that contains all parts of our demonstration ‘network’.

Demonstration Architecture

In particular, this demonstration network has:

  1. An installation of OpenLDAP that will be the store for user and group information. On Oracle Linux, OpenLDAP can be installed from the Oracle Public Yum Repository.

  2. A WebLogic Application server configured with an OpenLDAP provider in the default security realm.

  3. An ADF Application that is secured with ADF Security.

There are two groups used by this application: “managers” and “associates”, each of which map to application roles within the ADF application. The application itself is rather simple – it only consists of a login page plus an index page that shows a single panel box depending on your application role. The application will, however, demonstrate the network traffic generated by a single authentication request.

LDAP Traffic Generated By Authentication

Let’s take a look at the network traffic generated by our simple login request. We’ll use a tool called [WireShark][] for measuring network traffic – if you are using Oracle Linux, WireShark can be installed from the Oracle Public Yum Repository. In this first example, we’ll disable the caching features of WebLogic – later on we’ll look at how WebLogic tuning can effect LDAP network traffic.

First, we’ll set a filter to display only LDAP packets.

Oracle Database XE 2

With the ADF Application running, we’ll log in with a username and password (being watched carefully by the “Security Cow”.)

ADF Login Page

When we authenticate as a ‘manager’, the application redirects to an index page.

A Manager's Index Page

If we take a look at the output of our WireShark sniffer, we can note that this request generated 34 packets over the network.

Manager Authentication Request

Subsequent logins by the user generate a consistent 34 packets per login – as we expect as the application retrieves all data from the OpenLDAP server for every login.

If you extrapolate how such a system would need to scale with more concurrent users, you can see that the latency of LDAP Queries made for authentication and authorization will have an impact on the performance of secure ADF applications. Let’s take a look at important tuning feature of WebLogic that will help reduce that traffic – WebLogic’s LDAP caching features.

Network Traffic With WebLogic LDAP Caching

To demonstrate the impact that LDAP Caching can have, let’s re-enable WebLogic caching (both user and group information) with the default caching options that are enabled on WebLogic install. For example, the User caching settings look like this on initial WebLogic installation:

AuthenticatorBook adf domain WLS Console

These cache sizes can be adjusted as can the “Time To Live” (TTL) for the cache – both of them parameters that you’ll want to tune for your particular environment.

If we perform the same login action as above, an initial authentication request will be identical to the requests performed above – with 34 network packets being sent to the OpenLDAP server:

Initial Authentication With Caching Enabled

Once this initial request is cached, however, subsequent authentication requests produce far less network traffic. In this specific example, the next login request produces 5 packets to the OpenLDAP server (for cache validation):

Subsequent Login With WebLogic Caching

Once the “Time To Live” (TTL) between login requests for this user has expired however, the cache will refresh itself with the same amount of packets sent as the original login request.

Recommendations: Improving LDAP Performance

Following the results of this demonstration, there are two recommendations that can be made that will improve the performance of secure ADF applications:

Improve Your Directory Server and Network Performance: An obvious starting point would be improving both the performance of the network between WebLogic server and your directory server. A secondary (and more difficult) point of improvement is ensuring that LDAP queries performed against your directory server are both quick and efficient. (A rule of thumb mentioned by one of the Oracle “A-Team” members during a WebCenter performance discussion is that a query should have a mean execution time of under 50 milliseconds.)

I’ve noted that directory server performance is often a secondary consideration during architectural planning – a company will size hardware for concurrent users of an application, set up clustered deployments, etc. – then set up WebLogic to use the common ‘enterprise wide’ directory server to provide authentication. The performance of that directory server architecture must be as critical as the performance of the application environment, as the appellation will only perform as well as the slowest component in the system architecture.

Consult the documentation for your directory server for tips on performance tuning, or perhaps consider using architectural solutions for creating a highly performant directory architecture to service transactional applications.

Tune WebLogic Caching To Reduce Network/Query Traffic: After LDAP and network performance is ‘sufficient’, WebLogic can be tuned to improve performance through caching. Note that the two important parameters are cache size and cache time-to-life; make sure that you’ve taken into account hardware (RAM) for memory used by LDAP caches.

A very good resource for understanding WebLogic authentication provider tuning in general can be found on the “Fusion Security Blog” here.

Here’s a brief video walking through the demonstration:

  • Chris Muir

    “Mooooo” says the Security Cow…. which translated I think means good post Chad :-)

    • chad_thompson

      Thanks! The security cow adds an extra layer of security to applications. After all, who’s going to mess with a Guernsey?

  • Zeeshan Baig

    Good post.

    • chad_thompson

      Thank you! I’ve already found the demonstration useful for showing someone why “just connecting to our Active Directory” can create it’s own little set of problems…

  • http://twitter.com/prateekazam prateek.shaw

    Good one chand

  • elemental

    nice article but to be mitigated because normally in a production environment not only your application should scale but also your enterprise directory

    • chad_thompson

      I completely agree. What prompted this example was some experiences with clients wanting to simply “integrate” a new WebLogic environment to an existing (often an Active Directory) directory server environment without taking into account the performance impacts that an LDAP/Directory server will have.
      Often, the AD infrastructure was designed for supporting something like desktop logins, which have a much different performance requirement than an interactive web application. In some cases I’ve noted that the infrastructure of the ‘external’ LDAP infrastructure is simply taken as a given – which has caused immediate issues when rolling out an ADF/WebCenter app to production.