Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9965: Login Delays are Experienced After an Upgrade to Suite 2016 or Later

Centrify DirectControl ,  

21 March,18 at 06:26 PM

Problem:
  
After upgrading the Centrify DirectControl (CDC) agent for *nix, from a pre 5.X version, to version 5.X and later, there is a delay experienced during user login.  The delay can also be seen when entering commands that involve user identity, such  as: id, adquery user, chown, etc.
 
Cause:
  
The Centrify DirectControl version 5.x and later agent is designed to use the Active Directory RFC2307 attributes for creation of Unix/Linux user profiles. This design decision is based on the fact that (at the time of CDC 5.x release) Windows 2003 was coming to the End Of Life with Microsoft Support and Windows 2008 Domain Controllers already have the RFC2307 schema attributes built-in.

The RFC2307 attribute, uid, is used as a key attribute to store profile information.

However, while the uid attribute is available by default in the Windows 2008 AD, that attribute is not automatically indexed per the Microsoft design.  This causes the AD searches that are issued to build the CDC cache, to take much longer than earlier CDC releases that do not use the uid attribute.

The longer searches cause the delays  when the adclient cache is building. Once the cache is completely built, commands that use adclient cache are much faster.

Solution:
  
The performance of the CDC 5.X agent for *nix, is significantly improved when an index is created for the uid attribute in Active Directory.  The index should be created in all cross-trust and one-way trust domains that contain users that are accessing machines running Centrify DirectControl 5.X and later.

Instructions for creating the index can be found in the Centrify Infrastructure Services Planning and Deployment Guide -> Planning organizational units and security groups -> Planning for data storage in Active Directory -> Modifying indexed attributes for zones.

The following links are provided as a courtesy is assist with instructions for creating the recommended index:

How to add the register the schema snap-in for MMC
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732110(v=ws.11)

How to create an index in AD on a specific attribute:
https://technet.microsoft.com/en-us/library/aa995762(v=exchg.65).aspx

Since the issue exists exclusively in AD there is not a "fix" which Centrify can provide to address this issue.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.