Troubleshooting slow LDAP synchronization and lookups

PaperCut can use LDAP to synchronize user and group details from a directory server such as Apple Open Directory, Novell eDirectory, OpenLDAP and even Windows Active Directory (in addition to the native integration when running on Windows). PaperCut performs lookups against LDAP when:

  • Performing a manual user/group sync
  • Performing the automatic overnight new user import and user details update
  • Creating a new user “on the fly”
  • Adding a new group to PaperCut

Signs that LDAP lookups are taking a long time may include:

  • Running a manual sync takes a long time
  • The first print job for a user being created “on the fly” takes a long time

A slow synchronization is not necessarily a bad thing. This article is for sites where sychronization is slow enough to be a problem.

The following is a list of factors that may cause slow LDAP lookups.

Large Numbers of LDAP Aliases

PaperCut will dereference LDAP aliases in case those aliases are for users. In most cases this is the desired behavior. In some cases where there are large numbers of aliases (e.g. 5,000+) this may cause a noticeable slowdown. If these aliases are not for users then it is possible to disable dereferencing of LDAP aliases, which will speed up the sync. To do this:

  1. In the admin interface navigate to Options → Actions → Config editor (advanced)
  2. Find the config key ldap.dereference-aliases.
  3. The default value should be “always”. Change this to “never” and press Update.
  4. Test the sync again. Ensure that the correct list of users are imported (i.e. that aliases didn’t need to be dereferenced to retrieve the right users).

Categories: Troubleshooting Articles, Authentication

Keywords: slow sync, slow Open Directory, slow eDirectory, slow LDAP