Troubleshooting
Problem
Users report that logins are slow when you are using LDAP or LDAP with Active Directory authentication. Slow authentication or timeout issues to the user interface can indicate a configuration issue. This technote guides administrators through common issues with slow authentication or timeout issues in the QRadar LDAP configuration.
Symptom
Users experience longer wait times than expected at the login page:
Cause
Common causes for slow logins:
- The base statement in the LDAP configuration is too wide
- The LDAP server is a Microsoft Active Directory that uses referrals
- There is more than one domain controller in use. If so, users must add certificates from all DCs if they are using secure authentication (SSL/startTLS)
- If you are using secure authentication (SSL/startTLS), the main DNS value from the certificate must be used in the ldapURL value. The DNS value in the following example is DC-01.xyz.xyz.ie:
openssl x509 -in /opt/qradar/conf/trusted_certificates/ad_ldap_server.pem -text |grep DNS DNS:DC-01.xyz.xyz.ie, DNS:xyz.xyz.ie, DNS:xyz
Diagnosing The Problem
Scenario 1: Base statement is too wide
To diagnose slow logins to LDAP, you can confirm the Distinguished Name (User Base DN) from the LDAP Server. If you do not have permissions to complete queries on your LDAP system, contact your LDAP administrator to obtain the information.
- From the LDAP Server, open the Powershell utility.
- To verify the user permissions, replace <username> with the actual username in the following command:
Get-ADUser -Identity <username> -Properties * - The DistinguishedName returned by the query indicates the path to the user. For example, analyst1 has a path of CN=Users,DC=test,DC=internal:
DistinguishedName : CN=analyst1,CN=Users,DC=test,DC=internal - Verify that the Distinguished Name is correct for your LDAP server in the User Base DN field.
Results
The previous output states that the path to the analyst1 user is CN=Users,DC=test,DC=internal. However, the base statement uses DC=test,DC=internal. Therefore, the query must sort through all the entries and not specifically in Users. This mismatch causes a slowdown. Follow the scenario 1 resolution to fix the problem.
Scenario 2: Referrals
LDAP authentications that use Active Directory implementations do not contain the entire record information for the user requested. When this scenario occurs, the system sends a response to use a referral. If the Referral field is set to the follow option, the request can introduce delay until the record is provided.
LDAP authentications that use Active Directory implementations do not contain the entire record information for the user requested. When this scenario occurs, the system sends a response to use a referral. If the Referral field is set to the follow option, the request can introduce delay until the record is provided.
Resolving The Problem
Scenario 1: Base statement is too wide
Tune your configuration to allow login requests to complete in a timely manner.
- Change the User Base DN in the Basic Configuration to match the Distinguished Name from the LDAP Server by following this procedure.
- Click Save.
- On the Admin tab, click Deploy Changes.
Results
If you continue to experience issues with slow LDAP authentication or errors, contact QRadar Support.
Scenario 2: Referrals
Update the Server URL.
- Review the Server URL field in the Basic Configuration to and note whether it uses ports TCP/389 or TCP/636.
Note: Administrators with LDAP ports configured to use TCP/389 or TCP/636 might be experiencing a reported issue where an LDAP port is required. For more information, see: APAR IJ27713: UNABLE TO LOGIN USING ENCRYPTED LDAP WITH MICROSOFT AD SERVICES ON STANDARD LDAP PORTS. - Update the Server URL field to use a Global Catalog port (startTLS/3268 or SSL/3269). If Referral option follow is selected, and we bind to port 389, and the user account is not in the selected user base directory, but the domain controller has knowledge of another LDAP directory where it might be found, then client is referred to next domain controller, which is presumed to hold the requested object. If you bind to Global Catalog on port 3268, your search includes all directory partitions in the forest and if attribute is not in the Global Catalog, no further referrals are made.
Server URL examples:
ldap://xxx.xxx.xxx.xxx:3268
ldaps://xxx.xxx.xxx.xxx:3269
- Click Save.
- On the Admin tab, click Deploy Changes.
Result
If you continue to experience issues with slow LDAP authentication or errors, contact QRadar Support
Related Information
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
26 May 2023
UID
ibm16443619