IBM Support

QRadar: Lightweight Directory Access Protocol (LDAP or LDAP w/Active Directory) logins are slow or time out

Troubleshooting


Problem

Users report that logins are slow when using LDAP or LDAP with Active Directory authentication. Slow authentication or timeout issues to the user interface can indicate a configuration issue. This technical note guides administrators through common issues with slow authentication or timeout issues in the QRadar LDAP configuration.

Symptom

Users may experience longer wait times than expected at the login page:
image 9981

Cause

Common causes for slow logins:

  1. The base statement in the LDAP configuration is too wide. 
  2. The LDAP server is a Microsoft Active Directory using referrals.

Diagnosing The Problem

Scenario 1: Base statement too wide
To diagnose slow logins to LDAP, you can confirm the Distinguished Name (User Base DN) from your the LDAP Server. If you do not have permissions to complete queries on your LDAP system, contact your LDAP/AD administrator to provide the information.
  1. From the LDAP Server, open the Powershell utility.
  2. To verify the user permissions, replace <username> with the actual username in the following command:
    Get-ADUser -Identity <username> -Properties *
  3. The DistinguishedName returned by the query indicates the path to the user. For example, analyst1 has a path of CN=Users,DC=test,DC=internal.
    DistinguishedName                    : CN=analyst1,CN=Users,DC=test,DC=internal
  4. Verify the Distinguished Name is correct for your LDAP server in the User Base DN field. 
    image 9977

    Results
    The previous output states that the path to the analyst1 user is CN=Users,DC=test,DC=internal. However, the base statement uses DC=test,DC=internal. Therefore the query must sort through all the entries and not specifically in Users.
Scenario 2: Referrals
LDAP authentications that use Active Directory implementations do not contain the entire record information for the user requested. When this occurs, the system sends a response to use a referral. If the Referral field to configured to use the follow option in the user interface, the request can introduce delay until the record is provided.

image 9984

Resolving The Problem

Scenario 1
  1. The administrator can confirm and update the User Base DN statement based on the Distinguished Name from the LDAP server. Tuning your configuration allows login requests to complete in a timely manner.
  2. Click Save.
  3. On the Admin tab, click Deploy Changes.

Scenario 2
  1. Review the Server URL field to determine if ports TCP/389 or TCP/636 are used when the Referral field is set to follow.
    image 9986
    Note: Administrators with LDAP ports configured to use TCP/389 or TCP/636 might be experiencing a reported issue where an LDAP port is required. For more information, see: APAR IJ27713: UNABLE TO LOGIN USING ENCRYPTED LDAP WITH MICROSOFT AD SERVICES ON STANDARD LDAP PORTS.
  2. To resolve slow login issues, update the Server URL field to use a Global Catalog ports (TCP/3268 or TCP/3269). For example:
    ldap://xxx.xxx.xxx.xxx:3268
    ldaps://xxx.xxx.xxx.xxx:3269

    image 9987
  3. Click Save.
  4. On the Admin tab, click Deploy Changes.

    Result
    The user can now login in a timely manner. If you continue to experience issues with slow LDAP authentication or errors when logging in, contact QRadar Support.

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
18 May 2021

UID

ibm16443619