We have a situation where we have a web policy agent protecting URLs via a policy based on group member ship.
The groups in question are sometime quite large (30K+ members). What appears to be happening is that every time someone accesses the resource the entire group list is dragged back from LDAP. Given this can be many times as per second the traffic and load between OpenAM and LDAP is excessive.
idm caching is on but does not appear to be having much impact.
Is there any way to change the behaviour from “let’s grab the entire group list and see if the user in question is in there?” to “is the user a member of this group?”
For the purposes of transparency I should say the system in question is OpenAM v11 with WPA 3.3.4.
I assume your identity store is OpenDJ. What version of that are you using? There may be a way to use an LDAP filter condition in your policy vs group membership but I need to check what your version of DJ provides with regards to static groups.