Defining OUs with the LDAP User Source:
The "User Containers" configuration of the LDAP "User Source" is the first configuration choice an administrator must make that will greatly impact how ZCM interacts with LDAP.
For many user related functions, the ZCM primary server will send an LDAP search for each OU defined, which will include all child OUs.
In General, ZCM is most efficient if a single high level O or OU is defined which results in a single LDAP query, even if it encompasses some unnecessary OUs, versus creating multiple lower level OU entries which result in multiple smaller queries.
In many cases, the number of LDAP requests is directly proportional to the number of OUs defined so 20 seperate OUs will often generate 20 times more LDAP requests.
Hence defining multiple OUs should be avoided if possible.
Note: If multiple low level OUs are defined, it is possible in 11.1 and later to collapse multiple low level OU definitions to a single higher level O/OU, while retaining all associations.
The reverse, however, is not possible without deleting and recreating the user source and losing the associations.
Remember: If a High Level Container is defined, ZCM does not contain any mechanism to allow any lower level containers to be excluded if desired.
Once a top level container is configured, reconfiguring to the use of lower level containers is difficult, though the need for lower level containers in lieu of a top level container is generally not required or preferred.
LDAP Replica Configuration for e-Directory Servers:
Since ZCM will generally be performing searches from a very high level O or OU and below, it is recommended to point the ZCM primary servers to an LDAP server that holds replicas of all of these objects.
If the Primary Server's LDAP server does not hold a copy of all objects in its replicas, then it will cause the LDAP queries to chain to multiple LDAP servers, which is highly inefficient.
A primary server should never point to a remote server that only holds a limited number of replicas.
This is primarily a concern for e-Directory user sources, since e-Directory is a highly distributed database.
Note: It is acceptable to configure remote satellite authentication servers to point to a local replica server that does not contain all of the objects, since at least some of the queries will be handled locally.
Furthermore, in ZCM 11.2, the ZCM agent will cache the DN for previously logged in users removing the need for an LDAP search so long as the user has already logged onto the device and the user object has not moved since last logon.
This will greatly limit the number of times a remote satellite authentication server would need to query the entire tree during authentication.
Configuring Nested Group Support in Active Directory:
ZCM 11.1 and higher support Nested Groups in Active Directory.
While useful, the use of Nested Groups will create additional overhead.
Limiting the supported recursion level for Nested Groups will limit the amount of overhead.
The settings for Nested Groups can be found in ZCC->Configuration->Infrastructure Management->User Source Settings
Configuring "Dynamic Group Support" for e-Directory.
ZCM 11.2 now supports an option to "Disable" support for Dynamic Groups.
All prior versions of ZCM would always attempt to locate a users membership in dynamic groups.
Locating a user's membership in Dynamic Groups is an intensive LDAP query and disabling the support for Dynamic Groups will reduce LDAP overhead.
To ignore dynamic groups, Select "Yes" to the "Ignore Dynamic Groups in eDirectory" inside that user source's configuration section of the ZCC.
Enable LDAP Round-Robin on a Primary Server to balance LDAP Queries between multiple LDAP server
By Default, A ZCM Primary server will all send requests to first primary server in its list of LDAP Source servers unless those requests timeout, in which case it will send it to the next server.
Enabling LDAP Round-Robin on the Primary server will cause all LDAP requests from the server to be equally balanced among all of its configured LDAP sources.
To enable LDAP Round-Robin modify the following file:
In this file change: <DoConnectionRoundRobin>false</DoConnectionRoundRobin> to <DoConnectionRoundRobin>true</DoConnectionRoundRobin> and restart the ZCM Services.
Upgrade ZCM agents to 11.2 for DN Caching support
ZCM agents version 11.2 and higher will cache the DN of user objects once a user logs into a device.
The next time the user logs into that device, instead of searching the tree for the user ID, it will attempt to use the previous DN of the user object for authentication.
Only if the object no longer exists, will it search the tree looking to see if the object has been moved.
The reduced number of searches for user DNs will help reduce overall LDAP overhead.
Reduce LDAP Overhead for DLU:
Set "HKLM\Software\Novell\ZCM\AgentSettings\DoNotFetchUserGroups = True" Per TID#7007948
Increase LDAP Caching Values:
Consider Increasing the LDAP Cache values from the current default value of 600 seconds to 14400 seconds per TID#7003298
Unlike the previous LDAP recommendations which have little negative impact, increasing the cache values significantly could cause changes in the LDAP source to be recognized much more slowly by the ZCM agent as it pulls old information from cache instead of the new changed details.
This drawback is why this recommendation is listed last.