MS LDAPMembership Provider making unnecessary calls to LDAP server? RRS feed

  • Question

  • Background Info : SharePoint 2007 internet site, Forms Authentication and use Tivoli Access Manager and uses MS LDAPMembership provider for Authentication and Authorization.

    Directory has more than 50k members. We noticed that there are performance issues with Authentication and we set up logs in the LDAP server. We noticed the following

    1. SharePoint gets user object

    2. Gets the list of Groups the user belongs too

    So far sounds good. Then a very crazy thing happens

    SharePoint goes to each group (the user belongs to) and then iterates through each user to confirm whether the user is a member of the group. Some of our groups have more than 15k member.

    Is this normal with MS LDAP Membership provider? Any suggestions/ideas to improve this?

    Thanks very much for the help. Let me know if you need more information.


    Thursday, January 20, 2011 4:51 AM

All replies

  • You have mentioned that there are over 50,000 users added to the site. There is a very high probability that you have already crossed the 64 KB ACL limit. If this is true, the performance will be affected. Below are a few question(s):


    1)      How are AD users/Groups added to the site?

    2)      What is the cumulative total count of the AD users and AD security groups added to the site?


    As per http://technet.microsoft.com/en-us/library/cc262787(office.12).aspx  The maximum number of unique security scopes set for a list should not exceed 1,000.  If this is more than the specified number on any of the lists. You can try to groups the users together in AD groups/ SharePoint groups and then add these groups to the list to ensure you do not hit the 64 K ACL limit. Following link will share some more details about best practices you can implement: http://blogs.msdn.com/b/joelo/archive/2007/06/29/sharepoint-groups-permissions-site-security-and-depreciated-site-groups.aspx



    Wednesday, January 26, 2011 9:53 AM
  • Thanks Manas. We had calls with microsoft and it seems that's the default behaviour. We went ahead and developed a custom role provider and it works fine :-)

    Also its not AD its LDAP like I mentioned in my post and my post clearly says its group and not individual users :-)

    Tuesday, February 1, 2011 6:12 PM