Hi Dave!
On our particular AD instance here at Comcast, the indexes aren't being hit at all. Here's the query from the log:
2008-11-17 16:26:23,691 http-48095-Processor24 INFO [integration.directory.connector.MicrosoftActiveDirectory] Performing principal search: baseDN = dc=myorg,dc=mycable,dc=com - filter = (&(sAMAccountName=*user_name*)(objectClass=Person))
We receive a
LDAP: error code 3 - Timelimit Exceeded]; nested exception is javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'dc=myorg,dc=mycable,dc=com'
Whereas if we just search on sAMAccountName=user_name, the result is instantaneous. I have little input with the AD team here - even if I promise a free t-shirt
and we have to work with their setup, unfortunately. Is it possible for a user to modify the search query to be "equals" or is that hard-wired? I've looked all over but can't find the information in either a file or the DB (we're using mysql for crowd). A recommendation (and this is from me - we use directories extensively here at Comcast so I read/write from them all the time in applications - and no t-shirt required
) is to keep the search simple and specific. So if you need the object returned by sAMAccountName, then let that be the search attribute. If there is a requirement to do a "contains", make it an optional checkbox or something.
Right now, we utilize the individual LDAP functionality of each of the Atlassian tools - somewhat tedious to maintain - and it would be terrific if we could utilize crowd.
Great to hear
For future reference - if you want queries answered promptly, it's best to open a support request at http://support.atlassian.com. The workflow there means that your query stays front-and-center until it's resolved.
Cheers,
Dave.