What is the best performing generic LDAP query for authenticating users in AD?

Question

We're using LDAP to authenticate users. The other side of the LDAP pipe is a very large Active Directory implementation. We're finding that the authentication query is taking too long (15 seconds and longer).

Here's a representation of what we're doing:

ldap://ldap.myco.com/DN?dc=myco,dc=com??sub?(sAMAccountName=John)

What is the best way to accomplish this is a way that will work well for any giant AD implementation?

Thanks!

Answer 1

Brian Desmond is spot-on with his answer (and I've upvoted as such). You'll get the best performance from a simple bind.

For redundancy's sake (and to spread the load) you should have multiple DCs available to bind to. The algorithm that Microsoft AD clients use to locate DCs (based on site membership and SRV RR weights and preference values) is non-trivial, but you could approximate by getting the addresses (or names) of a few DCs to bind against.

Answer 2

sAMAccountName is definetely indexed, although your search also includes computers and groups. You could further qualify it with (&(objectCategory=person)(objectClass=user)(samAccountName={0})).

The bigger question is why are you doing the search to begin with? If all you want to do is check a username and password via LDAP bind, do a bind to LDAP://DC=myco,DC=com and access myDirectoryEntry.NativeObject. If it throws an exception you have a problem.

Also, what is "ldap.myco.com"? Is that a load balancer? Is it the name of your domain? You should be able to do a serverless bind here...

Answer 3

If sAMAccountName is indexed this query should be O(1) or O(log(N)) depending on the index structure. If it's taking 15 seconds it sounds like O(N) which would mean it isn't indexed.