12 Replies Latest reply on Aug 6, 2019 4:13 PM by 3698127

    Active directory users are taking too much time while logging in OBIEE 12c

    3698127

      Hi Experts,

       

      I am working on OBIEE 12.2.1.3.0. I have done OBIEE authentication with AD, with AD users I am facing an issue when I login in with AD users it takes too much time but with weblogic users its working fine.

        • 1. Re: Active directory users are taking too much time while logging in OBIEE 12c
          Gianni Ceresa

          Like always you would need to try to identify which part is taking time.

           

          There are some caching settings in the AD config you did in weblogic, you can look into that to try to have some info cached. You can also try to define if you are working on a too high level of your AD and therefore queries take time and you maybe can add some extra filters to improve the LDAP queries.

          • 2. Re: Active directory users are taking too much time while logging in OBIEE 12c
            3698127

            These are configuration parameters which are set in configuration. Can you please let me which parameters can set performance.

             

             

            The host name or IP address of the LDAP server.More Info...

            The port number on which the LDAP server is listening.More Info...

            The Distinguished Name (DN) of the LDAP user that WebLogic Server should use to connect to the LDAP server.More Info...

            The credential (usually a password) used to connect to the LDAP server.More Info...

            Specifies whether the SSL protocol should be used when connecting to the LDAP server.More Info...

            Users

            The base distinguished name (DN) of the tree in the LDAP directory that contains users.More Info...

            If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.More Info...

            If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.More Info...

            Specifies how deep in the LDAP directory tree the LDAP Authentication provider should search for users.More Info...

            The attribute of an LDAP user object that specifies the name of the user.More Info...

            The LDAP object class that stores users.More Info...

            Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal in the Subject.More Info...

            Specifies whether to retrieve the userAccountControl attribute from Active Directory. The default value is true.More Info...

            Groups

            The base distinguished name (DN) of the tree in the LDAP directory that contains groups.More Info...

            An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.More Info...

            An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.More Info...

            Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree andonelevel.More Info...

            Specifies whether group searches into nested groups are unlimited, limited or off. Valid values are unlimited,limited and off.More Info...

            Specifies how many levels of group membership can be searched. This setting is valid only if GroupMembershipSearching is set tolimited. Valid values are 0 and positive integers. For example, 0 indicates only direct group memberships will be found, and a positive number indicates the number of levels to search.More Info...

            Determines whether duplicate members are ignored when adding groups. The attribute cycles in the Group membership.More Info...

            Indicates whether to use the Active Directory TokenGroups attribute lookup algorithm instead of the standard recursive group membership lookup algorithm.More Info...

            Static Groups

            The attribute of a static LDAP group object that specifies the name of the group.More Info...

            The name of the LDAP object class that stores static groups.More Info...

            The attribute of a static LDAP group object that specifies the distinguished names (DNs) of the members of the group.More Info...

            An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.More Info...

            Dynamic Groups

            The attribute of a dynamic LDAP group object that specifies the name of the group.More Info...

            The LDAP object class that stores dynamic groups.More Info...

            The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.More Info...

            The attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs.More Info...

            General

            The LDAP connection pool size. Default is 6.More Info...

            The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is no maximum time limit.More Info...

            Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.More Info...

            The delay in seconds when making concurrent attempts to connect to multiple LDAP servers.More Info...

            The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is no maximum time limit.More Info...

            Specifies whether to prevent LDAP connections from timing out.More Info...

            Specifies that a search for a user or group within the LDAP Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.More Info...

            By default, the LDAP Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute.More Info...

            Specifies whether the providers should propagate the cause of the LoginException.More Info...

            Specifies whether a cache is used with the LDAP serverMore Info...

            The size of the cache (in kilobytes) that is used with the LDAP serverMore Info...

            The time-to-live of the cache (in seconds) that is used with the LDAP serverMore Info...

            Specifies whether to enable statistics of the cache.More Info...

            Specifies the name of the GUID attribute defined in the Active Directory LDAP server. The default value isobjectguid.More Info...

            The name of the identity domain.More Info...

            • 3. Re: Active directory users are taking too much time while logging in OBIEE 12c
              3698127

              Sorry for Inconvenience parameters are not visible.

              • 4. Re: Active directory users are taking too much time while logging in OBIEE 12c
                Gianni Ceresa

                3698127 wrote:

                 

                ... Can you please let me which parameters can set performance.

                It isn't as simple as that: there isn't a single thing which make performance better or it would be turned ON by default.

                 

                You can look at https://docs.oracle.com/middleware/1213/wls/SECMG/ldap_atn.htm#SECMG185  and also in the Tuning guide I believe they have something about what could be checked to improve things.

                 

                But again: do not just randomly change everything. You must identify in details where the time is spent to define what you can tune or not. Changing everything copying some "best practices" document could maybe, if lucky, work for now but you can also pay the price later with things not working fine or behaving weirdly etc.

                • 5. Re: Active directory users are taking too much time while logging in OBIEE 12c
                  2668432

                  Hi,

                  1) Have you set the virtualize as true in EM:

                   

                  2) It's worth checking "Principal Equals Case Insensitive" config

                  3) If AD server uses a different attribute for User Name than "cn" then you need to edit it, as well as AllUsersFilter and UserFromNameFilter. . In general, AD server uses “sAMAccountName” for UserNameAttribute.

                  4) If the AD server uses a different Group Name Attribute from the default  you also need to change the AllGroupsFilter and GroupFromNameFilter

                  NB: Check with internal AD team to ensure the have specified the relevant values e.g. UserNameAttribute

                   

                  Best regards,

                  Rajesh Dhanapal.

                  • 6. Re: Active directory users are taking too much time while logging in OBIEE 12c
                    Christian Berg

                    2668432 wrote:

                     

                     

                    2) It's worth checking "Principal Equals Case Insensitive" config

                     

                    Check it with regards to what?

                    • 7. Re: Active directory users are taking too much time while logging in OBIEE 12c
                      2668432

                      For e.g. when the AD user is set as "sThomas" and if the OBIEE user logs in as "sthomas" it creates the profile for sthomas. So by setting the above config it helped in our environment to set the correct BI Application roles.

                      • 8. Re: Active directory users are taking too much time while logging in OBIEE 12c
                        Christian Berg

                        The OP's question was about performance.

                        • 10. Re: Active directory users are taking too much time while logging in OBIEE 12c
                          Gianni Ceresa

                          Could you post some details on how you resolved it?

                          It's a community forum, where people share knowledge to help others. What worked for you in solving your issue could help others finding this thread and having the same problem.

                           

                          Post some info on how it has been solved and mark it as being the correct answer.

                          • 11. Re: Active directory users are taking too much time while logging in OBIEE 12c
                            Christian Berg

                            What was the answer? How was it reslved?

                             

                            A forum is where people help people. It's not just to come here, get a problem fixed and not give back to the community. Please follow forum etiquette and describe the solution. Also, please mark the appropriate posts as corerct or helpful. this is forthe benefit of all users.

                             

                            Mark Responses as Correct and Helpful

                            • 12. Re: Active directory users are taking too much time while logging in OBIEE 12c
                              3698127

                              Sure. I just followed the below mentioned work around.

                               

                              Login to WebLogic Administration Console (aka WLS or Admin Console), then click on “Security Realms” on the left, and then click the name of the realm that you use for security (for example, “myrealm”). Click the Providers tab. And then click the name of your Active Directory provider.

                               

                              Then select the Provider Specific tab. Scroll down to the section titled “Groups”. Change the Group Membership Searching setting from unlimited to limited, and then set Max Group Membership Search Level – change it from 0 (no limit) to 1 (or to the smallest number necessary for your environment).