01-23-2012 03:30 AM
We feel a slow login when the users put the credential and click in Sign. It takes like 10 second to validate (JUNIPER-Active Directory) and go in the Home page.
Why its happening this latency??? THANKS
01-23-2012 08:49 AM
If you are using the Active Directory server type on the IVE, it is searching all groups in all trusted domains; if there is any latency there, it will take time to authorize users.
You can mitigate this by switching authentication and authorization to LDAP. If you are not sure you want to do both components via LDAP, you can switch just the authorization piece.
LDAP is much quicker, cleaner, and more flexible with information you can get from it for users.
01-23-2012 12:18 PM
The admin guide is the best information available.
for users you will typically use samaccountname=<user>
for groups you will typically use cn=<groupname>
the admin dn is the LDAP-based bath to the login; for example, cn=Administrator,cn=users,dc=domain,dc=com
the user search location is the LDAP URI for the users, for example cn=users,dc=domain,dc=com
01-24-2012 02:34 AM
But in the configuration there are a lot of fields. Can you tell me which of them are obligated to fill and how to fill them . Thanks im trying i cant get it THANKS
i attach a screenshot with my conf
01-24-2012 07:27 AM
ok; sorry I misunderstood your question.
In the first section (LDAP server), the following are required:
LDAP server type (if you are connecting to AD, choose that type)
The backup servers are not required; but you can use it if you want. The timeout values are required, but the defaults are good for most networks.
In the second section, "Authentication required?", both fields are required
The admin DN is the LDAP URI for the administrator; for example, cn=admin,cn=users,dc=domain,dc=com
In the third section, "Finding user entries" both fields are required.
the base DN is the LDAP URI where to start looking for users; if your users are all under your domain, dc=domain,dc=com is probably your best bet; if your users reside in another location, say myusers, you would do cn=myusers,dc=domain,dc=com
In the fourth section, "determining group membership", you need the first 2 and the last one field and one of the others.
The base DN is where to start looking for groups; typically matches the user DN
the filter is how the groups are found; typically CN=<GROUPNAME> (set as that so that the group names can be retrieved)
The member attribute is set for static groups; this is member
The query attribute is set for dynamic groups; this si memberOf
You can enable the option for reverse lookup to start the group determination at the user level instead of the top level; it can speed up access
Nested groups is set if you have groups of groups (say your IT group hosts the admin group and apprentice group); you can either set how deep to look/chase the referral OR set to look at all if you know you don't have many to use
01-25-2012 02:54 AM
01-26-2012 02:11 AM
We have a multi domain AD structur and the login process takes about 2-3 seconds using LDAP.
The duration of the login process depends on how large your AD is and how you configured the LDAP search string.
So if you, for example, have a large AD and start the group search at top level, it takes time for your LDAP server to search through the whole AD.
There are some errors in the LDAP configuration in your last posting, so maybe this can help you.
Generally... to avoid typos with DNs it is a good idea to use a tool like ADExplorer from Sysinternals to copy/paste the DN of a User or group.
If authentication is required for an LDAP search, then you must enter the DN of an appropriate account here.
CN=LDAPUser, OU=Users, DC=Creditocoucion, DC=es
Finding user entries
Here you have to define where the LDAP search will start searching for a user and what filter will be used for the search.
To start at top level this could be
What filter to use depends on how you want to search for the user within the AD.
If your users uses their normal AD login name, then the filter would be.....
...where sAMAccountName is the LDAP attribute you want to check.
Again...use a tool like ADExplorer to see which LDAP attributes are available if you want to do some special things. :-)
Determing group membership
This is a little bit the same as "Finding user entries".
Here you define where the LDAP search should start to determine if a user belongs to a group.
This is necessary if you want to grant permissions based on group membership.
If you want to do so, than, in my opinion, it would be a good idea to use dedicated groups for this and to put this group in an extra OU. This would speed up the lookup.
For example an OU named "SSL-Groups".
The base DN would then be...
The filter : cn=<GROUPNAME>
Member attribute : member
Hope this helps you a little bit
01-26-2012 09:23 AM
Glad to hear it is working; sorry for the delay in respone (Frostie beat me to a reply)
If you are doing anything "extra" such as Host Checker or Cache Cleaner, those will add time independent of the authentication/authorization process. If you are using those things, can you disable them and see how long the login takes?