Configuring Authentication Providers 5-15 ■ If you are using the Active Directory Authentication provider, configure it to perform group membership lookups using the tokenGroups option. The tokenGroups option holds the entire flattened group membership for a user as an array of system ID SID values. The SID values are specially indexed in the Active Directory and yield extremely fast lookup response. See Section 5.4.10.5, Configuring the Active Directory Authentication Provider to Improve Performance.

5.4.10.1 Optimizing the Group Membership Caches

To optimize the group membership caches for WebLogic and LDAP Authentication providers, set the following attributes found in the Administration Console on the LDAP Authentication providers Configuration Provider Specific and Performance pages: ■ Group Membership Searching—Available from the Provider Specific page, this attribute controls whether group searches are limited or unlimited in depth. This option controls how deeply to search into nested groups. For configurations that use only the first level of nested group hierarchy, this option allows improved performance during user searches by limiting the search to the first level of the group. – If a limited search is defined, Max Group Membership Search Level must be defined. – If an unlimited search is defined, Max Group Membership Search Level is ignored. ■ Max Group Membership Search Level—Available from the Provider Specific page, this attribute controls the depth of a group membership search if Group Membership Searching is defined. Possible values are: – 0—Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search. – Any positive number—Indicates the number of levels to search. For example, if this option is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search. ■ Enable Group Membership Lookup Hierarchy Caching— Available from the Performance page, this attribute indicates whether group membership hierarchies found during recursive membership lookup are cached. Each subtree found will be cached. The cache holds the groups to which a group is a member. This setting only applies if Group Membership is enabled. By default, it is disabled. ■ Max Group Hierarchies in Cache—Available from the Performance page, this attribute specifies the maximum size of the Least Recently Used LRU cache that holds group membership hierarchies. A value of 1024 is recommended. This setting only applies if Enable Group Membership Lookup Hierarchy Caching is enabled. ■ Group Hierarchy Cache TTL—Available from the Performance page, this attribute specifies the number of seconds cached entries stay in the cache. The default is 60 seconds. A value of 6000 is recommended. In planning your cache settings, bear in mind the following considerations: 5-16 Securing Oracle WebLogic Server ■ Enabling a cache involves a trade-off of performance and accuracy. Using a cache means that data is retrieved faster, but runs the risk that the data may not be the latest available. ■ The time-to-live TTL setting how long you are willing to accept potentially stale data. This depends a lot on your particular business needs. If you frequently changes group memberships for users, then a long TTL could mean that group related changes wont show up for a while, and you may want a short TTL. If group memberships almost never change after a user is added, a longer TTL may be fine. ■ The cache size is related to the amount of memory you have available, as well as the cache TTL. Consider the number of entries that might be loaded in the span of the TTL, and size the cache in relation to that number. A longer TTL will tend to require a larger cache size.

5.4.10.2 Optimizing the Connection Pool Size and User Cache