SSL VPN
Reply
Contributor
kanorro
Posts: 40
Registered: ‎01-18-2012
0

Slow Login

We feel a slow login when the users put the credential and click in Sign. It takes like 10 second to validate (JUNIPER-Active Directory) and go in the Home page.

 

Why its happening this latency??? THANKS

Moderator
zanyterp
Posts: 2,300
Registered: ‎11-19-2007
0

Re: Slow Login

If you are using the Active Directory server type on the IVE, it is searching all groups in all trusted domains; if there is any latency there, it will take time to authorize users.

 

You can mitigate this by switching authentication and authorization to LDAP. If you are not sure you want to do both components via LDAP, you can switch just the authorization piece.

 

LDAP is much quicker, cleaner, and more flexible with information you can get from it for users.

Contributor
kanorro
Posts: 40
Registered: ‎01-18-2012
0

Re: Slow Login

is there any good manual about to create a LDAP???

i tried to create a LDAP server and i didnt understand about filter and fields to fill,,

THANK YOU SO MUCH

Moderator
zanyterp
Posts: 2,300
Registered: ‎11-19-2007
0

Re: Slow Login

The admin guide is the best information available.

for users you will typically use samaccountname=<user>

for groups you will typically use cn=<groupname>

the admin dn is the LDAP-based bath to the login; for example, cn=Administrator,cn=users,dc=domain,dc=com

the user search location is the LDAP URI for the users, for example cn=users,dc=domain,dc=com

Contributor
kanorro
Posts: 40
Registered: ‎01-18-2012
0

Re: Slow Login

OK.

 

But in the configuration there are a lot of fields. Can you tell me which of them are obligated to fill and how to fill them . Thanks im trying i cant get it THANKS

 

i attach a screenshot with my conf

Moderator
zanyterp
Posts: 2,300
Registered: ‎11-19-2007

Re: Slow Login

ok; sorry I misunderstood your question.

 

In the first section (LDAP server), the following are required:

name

LDAP server

LDAP port

LDAP server type (if you are connecting to AD, choose that type)

 

The backup servers are not required; but you can use it if you want. The timeout values are required, but the defaults are good for most networks.

 

In the second section, "Authentication required?", both fields are required

The admin DN is the LDAP URI for the administrator; for example, cn=admin,cn=users,dc=domain,dc=com

 

In the third section, "Finding user entries" both fields are required.

the base DN is the LDAP URI where to start looking for users; if your users are all under your domain, dc=domain,dc=com is probably your best bet; if your users reside in another location, say myusers, you would do cn=myusers,dc=domain,dc=com

 

In the fourth section, "determining group membership", you need the first 2 and the last one field and one of the others.

The base DN is where to start looking for groups; typically matches the user DN

the filter is how the groups are found; typically CN=<GROUPNAME> (set as that so that the group names can be retrieved)

The member attribute is set for static groups; this is member

The query attribute is set for dynamic groups; this si memberOf

You can enable the option for reverse lookup to start the group determination at the user level instead of the top level; it can speed up access

Nested groups is set if you have groups of groups (say your IT group hosts the admin group and apprentice group); you can either set how deep to look/chase the referral OR set to look at all if you know you don't have many to use

Contributor
kanorro
Posts: 40
Registered: ‎01-18-2012
0

Re: Slow Login

Ok i have created a LDAP Auth server for AD but i receive a error.

 

how should i create a LDAP server for this information????

 

Domain=CREDITOYCU.ES

Groups=Acceso VPN-SSL

 

i attach my conf and the error.

 

THANKS

 

Contributor
kanorro
Posts: 40
Registered: ‎01-18-2012
0

Re: Slow Login

Now its working :smileyhappy: but it spend the same time in to do logging :smileysad:

 

how many seconds should be spend since user write the credentials until he is in the home page??? its like 9 10 seconds :smileysad: THANKS

 

 

Contributor
Frostie
Posts: 49
Registered: ‎07-27-2010
0

Re: Slow Login

We have a multi domain AD structur and the login process takes about 2-3 seconds using LDAP.

 

The duration of the login process depends on how large your AD is and how you configured the LDAP search string.  

So if you, for example, have a large AD and start the group search at top level, it takes time for your LDAP server to search through the whole AD.

 

There are some errors in the LDAP configuration in your last posting, so maybe this can help you.

Generally... to avoid typos with DNs it is a good idea to use a tool like ADExplorer from Sysinternals to copy/paste the DN of a User or group.  

 

 

Authentication required

----------------------------------

If authentication is required for an LDAP search, then you must enter the DN of an appropriate account here.  

For example:

 

CN=LDAPUser, OU=Users, DC=Creditocoucion, DC=es  

 

 

Finding user entries

----------------------------

Here you have to define where the LDAP search will start searching for a user and what filter will be used for the search.

 

To start at top level this could be

 

DC=creditocoucion,DC=es 

 

What filter to use depends on how you want to search for the user within the AD.

 

If your users uses their normal AD login name, then the filter would be.....

sAMAccountName=<USERNAME>

 

...where sAMAccountName is the LDAP attribute you want to check.

Again...use a tool like ADExplorer to see which LDAP attributes are available if you want to do some special things. :-)

 

 

Determing group membership

------------------------------------------

 

This is a little bit the same as "Finding user entries".

Here you define where the LDAP search should start to determine if a user belongs to a group.

This is necessary if you want to grant permissions based on group membership.

If you want to do so, than, in my opinion, it would be a good idea to use dedicated groups for this and to put this group in an extra OU. This would speed up the lookup.

 

For example an OU named "SSL-Groups". 

 

The base DN would then be...

 

OU=SSL-Group, DC=creditocoucion,DC=es 

 

The filter : cn=<GROUPNAME>

Member attribute : member

 

 

 Hope this helps you a little bit

 

Moderator
zanyterp
Posts: 2,300
Registered: ‎11-19-2007
0

Re: Slow Login

Glad to hear it is working; sorry for the delay in respone (Frostie beat me to a reply)

 

If you are doing anything "extra" such as Host Checker or Cache Cleaner, those will add time independent of the authentication/authorization process. If you are using those things, can you disable them and see how long the login takes?

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.