Home > Active Directory, Jamf Pro, JSS > Disabling Jamf Pro LDAP wildcard searches to speed up user and group lookups

Disabling Jamf Pro LDAP wildcard searches to speed up user and group lookups

When setting up Jamf Pro, one of the options you have is to integrate it with your company, school or institution’s LDAP-based directory service. Connecting Jamf Pro to LDAP allows you to query your organization’s directory service for information and also allows the use of your existing user accounts and groups when requiring logins or scoping policies.

When setting up Jamf Pro to connect to a directory service, there’s a Use Wildcards When Searching setting with the following description:

Allow partial matches to be returned when searching the LDAP directory

Screen Shot 2018 05 27 at 12 19 00 PM

What this setting does is that it allows Jamf Pro to use wildcards when making LDAP searches of your directory service. That allows Jamf Pro to return search results that may only partially match what you told it to search the directory service for.

For directory services with fewer than five thousand user accounts and/or groups, having this option enabled is usually fine. However, once the directory service is larger than that, disabling the Use Wildcards When Searching setting may dramatically speed up user and group lookups. For more details, please see below the jump.

In my own shop, the directory service used by Jamf Pro has far more than five thousand users and groups. With the Use Wildcards When Searching setting enabled, lookups usually take a minimum of five seconds and a maximum of seven seconds.

Screen Shot 2018 05 27 at 12 19 24 PM

With the Use Wildcards When Searching setting disabled, lookups now take between 0.03 and 0.001 seconds.

Screen Shot 2018 05 27 at 12 19 58 PM

The downside to disabling wildcard searching is that you will need to search your directory service using the exact user or group name you want as your search criteria. Any result which is not an exact match will not be returned by the search. That said, the performance improvement usually makes this a worthwhile trade-off for losing the ability to search using wildcards.

To disable wildcard searching, use the following procedure:

1. Log into Jamf Pro.
2. Go into your Jamf Pro management settings:

Settings: System Settings: LDAP Servers: Your Directory Service Name Here (substitute your actual settings for Your Directory Service Name Here.)

Screen Shot 2018-05-27 at 1.26.55 PM

4. Click the Edit button to edit the Your Directory Service Name Here settings.
3. Scroll to the bottom and locate the Use Wildcards When Searching setting.

Screen-Shot-2018-05-27-at-12.19.00-PM.png

4. If the setting is checked, uncheck it.

Screen Shot 2018-05-27 at 12.19.59 PM

5. Click the Save button to save your changes.

 

 

Categories: Active Directory, Jamf Pro, JSS
  1. Daniel Shane
    May 30, 2018 at 9:28 am

    Thanks rich

    This took my user lookup down from 44.5 seconds to 0.02 seconds !!!

  2. lashomb
    May 31, 2018 at 4:15 pm

    Interesting… we have a pretty large AD environment (where many integrations with other products can break or become slow due to the size of the directory structure), and user searching in our JSS is pretty instantaneous. I checked our settings and we do have wildcard searching on. Our timeouts are different slightly and we have “Referral Response” set to Ignore.

  3. Jeremy Dybash
    June 6, 2018 at 12:32 am

    I’m seeing same performance results as Daniel’s (above); down from 56.2 seconds to 0.04 seconds. Essentially same results in both Test (v10.3.1) and Prod (9.97.xxxxx) envs—wow! Thanks, Rich!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: