The default behavior for the Active Directory connector is to search the entire root DN when performing a pass-through authentication. This can lead to referrals which can result in long delays and errors.
To prevent these errors or delays, configure the Active Directory application to limit the scope of pass-through authentication searches to only the Search DNs defined in the application.
To do so, complete the following steps:
- Open the IdentityIQ Debug pages.
- In the "Object Browser" dropdown, select Application.
- Click the Active Directory application to open it.
- Edit the XML to add the entry key
<entry key="filterEmptyRecords">
<value>
<Boolean>true</Boolean>
</value>
</entry>
- Save the application definition.
Note: If you define a large number of search DNs, using this flag may negatively impact performance during authentication.
