Categories
Active directory users are taking too much time while logging in OBIEE 12c

Hi Experts,
I am working on OBIEE 12.2.1.3.0. I have done OBIEE authentication with AD, with AD users I am facing an issue when I login in with AD users it takes too much time but with weblogic users its working fine.
Answers
-
Like always you would need to try to identify which part is taking time.
There are some caching settings in the AD config you did in weblogic, you can look into that to try to have some info cached. You can also try to define if you are working on a too high level of your AD and therefore queries take time and you maybe can add some extra filters to improve the LDAP queries.
0 -
These are configuration parameters which are set in configuration. Can you please let me which parameters can set performance.
The host name or IP address of the LDAP server.More Info...
The port number on which the LDAP server is listening.More Info...
The Distinguished Name (DN) of the LDAP user that WebLogic Server should use to connect to the LDAP server.More Info...
The credential (usually a password) used to connect to the LDAP server.More Info...
Specifies whether the SSL protocol should be used when connecting to the LDAP server.More Info...
Users
The base distinguished name (DN) of the tree in the LDAP directory that contains users.More Info...
If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.More Info...
If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.More Info...
subtree onelevel
Specifies how deep in the LDAP directory tree the LDAP Authentication provider should search for users.More Info...
The attribute of an LDAP user object that specifies the name of the user.More Info...
The LDAP object class that stores users.More Info...
Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject.More Info...
Specifies whether to retrieve the userAccountControl attribute from Active Directory. The default value is true.More Info...
Groups
The base distinguished name (DN) of the tree in the LDAP directory that contains groups.More Info...
An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.More Info...
An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.More Info...
subtree onelevel
Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree andonelevel.More Info...
unlimited limited off
Specifies whether group searches into nested groups are unlimited, limited or off. Valid values are unlimited,limited and off.More Info...
Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set tolimited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search.More Info...
Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership.More Info...
Indicates whether to use the Active Directory TokenGroups attribute lookup algorithm instead of the standard recursive group membership lookup algorithm.More Info...
Static Groups
The attribute of a static LDAP group object that specifies the name of the group.More Info...
The name of the LDAP object class that stores static groups.More Info...
The attribute of a static LDAP group object that specifies the distinguished names (DNs) of the members of the group.More Info...
An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.More Info...
Dynamic Groups
The attribute of a dynamic LDAP group object that specifies the name of the group.More Info...
The LDAP object class that stores dynamic groups.More Info...
The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.More Info...
The attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs.More Info...
General
The LDAP connection pool size. Default is 6.More Info...
The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is no maximum time limit.More Info...
Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.More Info...
The delay in seconds when making concurrent attempts to connect to multiple LDAP servers.More Info...
The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is no maximum time limit.More Info...
Specifies whether to prevent LDAP connections from timing out.More Info...
Specifies that a search for a user or group within the LDAP Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.More Info...
By default, the LDAP Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute.More Info...
Specifies whether the providers should propagate the cause of the LoginException.More Info...
Specifies whether a cache is used with the LDAP serverMore Info...
The size of the cache (in kilobytes) that is used with the LDAP serverMore Info...
The time-to-live of the cache (in seconds) that is used with the LDAP serverMore Info...
Specifies whether to enable statistics of the cache.More Info...
Specifies the name of the GUID attribute defined in the Active Directory LDAP server. The default value isobjectguid.More Info...
The name of the identity domain.More Info...
0 -
Sorry for Inconvenience parameters are not visible.
0 -
3698127 wrote:... Can you please let me which parameters can set performance.
It isn't as simple as that: there isn't a single thing which make performance better or it would be turned ON by default.
You can look at https://docs.oracle.com/middleware/1213/wls/SECMG/ldap_atn.htm#SECMG185 and also in the Tuning guide I believe they have something about what could be checked to improve things.
But again: do not just randomly change everything. You must identify in details where the time is spent to define what you can tune or not. Changing everything copying some "best practices" document could maybe, if lucky, work for now but you can also pay the price later with things not working fine or behaving weirdly etc.
0 -
Hi,
1) Have you set the virtualize as true in EM:
2) It's worth checking "Principal Equals Case Insensitive" config
3) If AD server uses a different attribute for User Name than "cn" then you need to edit it, as well as AllUsersFilter and UserFromNameFilter. . In general, AD server uses “sAMAccountName” for UserNameAttribute.
4) If the AD server uses a different Group Name Attribute from the default you also need to change the AllGroupsFilter and GroupFromNameFilter
NB: Check with internal AD team to ensure the have specified the relevant values e.g. UserNameAttribute
Best regards,
Rajesh Dhanapal.
0 -
2668432 wrote:2) It's worth checking "Principal Equals Case Insensitive" config
Check it with regards to what?
0 -
For e.g. when the AD user is set as "sThomas" and if the OBIEE user logs in as "sthomas" it creates the profile for sthomas. So by setting the above config it helped in our environment to set the correct BI Application roles.
0 -
The OP's question was about performance.
0 -
Thanks. Issue resolved.
0 -
Could you post some details on how you resolved it?
It's a community forum, where people share knowledge to help others. What worked for you in solving your issue could help others finding this thread and having the same problem.
Post some info on how it has been solved and mark it as being the correct answer.
0