Policy evaluation takes long time

Question

I am using OpenAM 9.5.3 to do authentication and authorization. For authorization, I have two policies set under Top Level Realm (only realm in the setup ). Each policy has two rules (URL policy agent) with one subject (OpenAM Identity Subject). The subject contains two LDAP group. For example:

Policy Name: my_policy
Rules:
   Rule1: some rule
   Rule2: some-other rule
Subject:
   Subject1: Contains two groups Group 1, Group 2. Total number of users,putting together is around 80.  Group 1 contains user A  who is notavailable in Group 2.

When user A logs in, authorization for User A against Group 2 takes long time, around 3 min. Group 2 has only 40 users in it. Log statements from policy log file, http://pastebin.com/kXSUXQ5F. As highlighted below, it takes 2 min for evaluation to complete.

**amPolicy:03/02/2014 09:34:52:592** AM PST: Thread[http-bio-8443-exec-12,5,main]
AMidentitySubject.isMember():user uuid = id=user-1,ou=user,dc=orgname,dc=com, subject uuid = id=group-2,ou=group,dc=orgname,dc=com
**amPolicy:03/02/2014 09:36:35:580** AM PST: Thread[http-bio-8443-exec-12,5,main]
AMIdentitySubject.isMember():userIdentity type IdType: user can be a member of subjectIdentityType IdType: group:membership=false

Note, that authorization for User A against Group 1 happens immediately.

Tried googling for this and made following changes,

Increased the LDAP connection pool size in the openAM sever, now minimum is 10 and maximum value is 65
In the agent disabled the property, com.sun.identity.agents.config.fetch.from.root.resource. Now have set this to false, com.sun.identity.agents.config.fetch.from.root.resource = false

None of these reduced the time for subject evaluation. I don't find any thing else related to this on googling. Can you give pointers on other properties that needs to be checked/tuned ? Let me know if you need any further details on this.

Thanks In Advance, Veerabahu

Policy evaluation takes long time

Answers (1)

Related Questions