Active directory users are taking too much time while logging in OBIEE 12c

User_S35K3

Hi Experts,

I am working on OBIEE 12.2.1.3.0. I have done OBIEE authentication with AD, with AD users I am facing an issue when I login in with AD users it takes too much time but with weblogic users its working fine.

Gianni Ceresa

Like always you would need to try to identify which part is taking time.

There are some caching settings in the AD config you did in weblogic, you can look into that to try to have some info cached. You can also try to define if you are working on a too high level of your AD and therefore queries take time and you maybe can add some extra filters to improve the LDAP queries.

User_S35K3

These are configuration parameters which are set in configuration. Can you please let me which parameters can set performance.

Host:		The host name or IP address of the LDAP server.More Info...
Port:		The port number on which the LDAP server is listening.More Info...
Principal:		The Distinguished Name (DN) of the LDAP user that WebLogic Server should use to connect to the LDAP server.More Info...
Credential:		The credential (usually a password) used to connect to the LDAP server.More Info...
Confirm Credential:
SSLEnabled		Specifies whether the SSL protocol should be used when connecting to the LDAP server.More Info...
Users
User Base DN:		The base distinguished name (DN) of the tree in the LDAP directory that contains users.More Info...
All Users Filter:		If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.More Info...
User From Name Filter:		If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.More Info...
User Search Scope:	subtree onelevel	Specifies how deep in the LDAP directory tree the LDAP Authentication provider should search for users.More Info...
User Name Attribute:		The attribute of an LDAP user object that specifies the name of the user.More Info...
User Object Class:		The LDAP object class that stores users.More Info...
Use Retrieved User Name as Principal		Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject.More Info...
Retrieve the User Account Control		Specifies whether to retrieve the userAccountControl attribute from Active Directory. The default value is true.More Info...
Groups
Group Base DN:		The base distinguished name (DN) of the tree in the LDAP directory that contains groups.More Info...
All Groups Filter:		An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.More Info...
Group From Name Filter:		An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.More Info...
Group Search Scope:	subtree onelevel	Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree andonelevel.More Info...
Group Membership Searching:	unlimited limited off	Specifies whether group searches into nested groups are unlimited, limited or off. Valid values are unlimited,limited and off.More Info...
Max Group Membership Search Level:		Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set tolimited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search.More Info...
Ignore Duplicate Membership		Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership.More Info...
Use Token Groups For Group Membership Lookup		Indicates whether to use the Active Directory TokenGroups attribute lookup algorithm instead of the standard recursive group membership lookup algorithm.More Info...
Static Groups
Static Group Name Attribute:		The attribute of a static LDAP group object that specifies the name of the group.More Info...
Static Group Object Class:		The name of the LDAP object class that stores static groups.More Info...
Static Member DN Attribute:		The attribute of a static LDAP group object that specifies the distinguished names (DNs) of the members of the group.More Info...
Static Group DNs from Member DN Filter:		An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.More Info...
Dynamic Groups
Dynamic Group Name Attribute:		The attribute of a dynamic LDAP group object that specifies the name of the group.More Info...
Dynamic Group Object Class:		The LDAP object class that stores dynamic groups.More Info...
Dynamic Member URL Attribute:		The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.More Info...
User Dynamic Group DN Attribute:		The attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs.More Info...
General
Connection Pool Size:		The LDAP connection pool size. Default is 6.More Info...
Connect Timeout:		The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is no maximum time limit.More Info...
Connection Retry Limit:		Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.More Info...
Parallel Connect Delay:		The delay in seconds when making concurrent attempts to connect to multiple LDAP servers.More Info...
Results Time Limit:		The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is no maximum time limit.More Info...
Keep Alive Enabled		Specifies whether to prevent LDAP connections from timing out.More Info...
Follow Referrals		Specifies that a search for a user or group within the LDAP Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.More Info...
Bind Anonymously On Referrals		By default, the LDAP Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute.More Info...
Propagate Cause For Login Exception		Specifies whether the providers should propagate the cause of the LoginException.More Info...
Cache Enabled		Specifies whether a cache is used with the LDAP serverMore Info...
Cache Size:		The size of the cache (in kilobytes) that is used with the LDAP serverMore Info...
Cache TTL:		The time-to-live of the cache (in seconds) that is used with the LDAP serverMore Info...
Cache Statistics Enabled		Specifies whether to enable statistics of the cache.More Info...
GUID Attribute:		Specifies the name of the GUID attribute defined in the Active Directory LDAP server. The default value isobjectguid.More Info...
Identity Domain:		The name of the identity domain.More Info...

User_S35K3

Sorry for Inconvenience parameters are not visible.

Gianni Ceresa

3698127 wrote:... Can you please let me which parameters can set performance.

It isn't as simple as that: there isn't a single thing which make performance better or it would be turned ON by default.

You can look at https://docs.oracle.com/middleware/1213/wls/SECMG/ldap_atn.htm#SECMG185  and also in the Tuning guide I believe they have something about what could be checked to improve things.

But again: do not just randomly change everything. You must identify in details where the time is spent to define what you can tune or not. Changing everything copying some "best practices" document could maybe, if lucky, work for now but you can also pay the price later with things not working fine or behaving weirdly etc.

Rajesh Dhanapal

Hi,

1) Have you set the virtualize as true in EM:

2) It's worth checking "Principal Equals Case Insensitive" config

3) If AD server uses a different attribute for User Name than "cn" then you need to edit it, as well as AllUsersFilter and UserFromNameFilter. . In general, AD server uses “sAMAccountName” for UserNameAttribute.

4) If the AD server uses a different Group Name Attribute from the default  you also need to change the AllGroupsFilter and GroupFromNameFilter

NB: Check with internal AD team to ensure the have specified the relevant values e.g. UserNameAttribute

Best regards,

Rajesh Dhanapal.

[Deleted User]

2668432 wrote:2) It's worth checking "Principal Equals Case Insensitive" config

Check it with regards to what?

Rajesh Dhanapal

For e.g. when the AD user is set as "sThomas" and if the OBIEE user logs in as "sthomas" it creates the profile for sthomas. So by setting the above config it helped in our environment to set the correct BI Application roles.

[Deleted User]

The OP's question was about performance.

User_S35K3

Thanks. Issue resolved.

Gianni Ceresa

Could you post some details on how you resolved it?

It's a community forum, where people share knowledge to help others. What worked for you in solving your issue could help others finding this thread and having the same problem.

Post some info on how it has been solved and mark it as being the correct answer.