Login is extremely slow for LDAP users in SAP BusinessObjects XI 3.1 and XI Release 2

CAUSE

Workflow of BusinessObjects to query LDAP users:

1. User enters their credentials and chooses LDAP (or SSO login brings user in via LDAP)

2. BO queries LDAP with a UniqueMember query at BASE DN (o=companyname, c=us)

NOTE: No matter how detailed you set the Base DN in the CMC, it will only use these two fields (o=companyname, c=us) to base the query on.

3. User may exist in one or more groups, for a large LDAP (this query may take up to 30 sec)

4. A complete list of all groups where user exists in LDAP is returned and compared to list of groups mapped in the CMC. (approximately 2 sec)

5. User is matched with mapped group and allowed access to InfoView ( < 5 seconds)

The bottleneck here is the query that BO sends to the LDAP server to find the user.

SOLUTION

WARNING: You need to modify registry on your server(s) to fix this. Take backups of your registry keys before proceeding.

XI 3.X

Windows:

1. Open regedit on your Windows Server using Start>>Run.

2.  Navigate to the following key in your registry.

     a.       (64Bit Server) [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Business Objects\Suite 12.0\Enterprise\Auth Plugins\secLDAP]

     b.    (32Bit Server) [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\Enterprise\Auth Plugins\secLDAP]

3. Create or edit the following STRING values in the above registry key (The entry is case sensitive so you need to be very careful).

    a.  GroupBaseDNs (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)

NOTE: You can get this from your LDAP administrator.

   b. GroupFilter (Set the value  to true)

4. You may want to export the key to a .reg file that you can simply double-click on with your other servers in the cluster/enterprise.

5. After making the changes, you will need to restart the SIA (Server Intelligence Agent) on each server to complete the changes.

6. Test the LDAP authentication by logging in to InfoView.

UNIX:

1. Navigate to $BOBJEDIR/data/.bobj/registry/software/business objects/suite 12.0/enterprise/auth plugins/secldap/ 

2. Backup the .registry file and then run 'vi .registry'

3. Add the following entries at the end of the file

   a. “GroupBaseDNs”=”” (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)

NOTE: You can get this from your LDAP administrator.

   b. “GroupFilter”=”true”

4. Restart the SIA.

5. Test the LDAP authentication by logging in to InfoView.

XI R2

Windows:

NOTE: The functionality of this registry key only exists in FP 2.5 or later.

1. Open regedit on your Windows Server using Start>>Run.

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Auth Plugins\secLDAP\

3. Create or edit the following STRING values in the above registry key (The entry is case sensitive so you need to be very careful).

   a. GroupBaseDNs (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)

NOTE: You can get this from your LDAP administrator.

   b. GroupFilter (Set the value  to true)

4. You may want to export the key to a .reg file that you can simply double-click on with your other servers in the cluster/enterprise.

5. After making the changes, you will need to restart the SIA (Server Intelligence Agent) on each server to complete the changes.

6. Test the LDAP authentication by logging in to InfoView.

UNIX:

1. Navigate to $BOBJEDIR/data/.bobj/registry/software/business objects/suite 11.5/enterprise/auth plugins/secldap/

2. Backup the .registry file and then run 'vi .registry'

3. Add the following entries at the end of the file:

   a. “GroupBaseDNs”=”” (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)

NOTE: You can get this from your LDAP administrator.

   b. “GroupFilter”=”true”

4. Restart the SIA.

5. Test the LDAP authentication by logging in to InfoView.

You may also refer to similar SAP KB Articles:

1459328 - Logon to Infoview is slow when using LDAP authentication against large directories
1183138 - How the LDAP plug-in works in manual and automatic refresh in BusinessObjects XI
1200153 - How to Improve LDAP Nested Group Queries by Adding GroupBaseDNs Registry Key

What’s new in SAP BusinessObjects Enterprise Business Intelligence 4.0 platform?

SAP BI 4.0 release has been the first major release of the BI platform since SAP acquired BusinessObjects. In this release, the semantic layer (universe layer for the uninitiated) has been re-worked completely to expose all business data under a single umbrella. The self-service BI portal (aka Infoview) has been revamped with a new AJAX based design and providing quicker and easier access to content. Publishing and distribution of BI content to mass audience has been made easier. There are also improvements to the lifecycle management (LCM tool) and platform administration (CMC, CCM) from a single console. This is in a nutshell are the changes that Aurora or SAP BO 4.0 bring, allowing BI content to be delivered across different channels ranging from the browser (BI Launch Pad, SharePoint, SAP NetWeaver Portal, Java Portal) to desktop (widgets), MS-Office and mobile.

In the following section I’ll try to cover the major changes that have been effected in the following products:

Semantic Layer - A new tool, Information Design Tool enhances the Universe Designer. The universes created by this tool are identified by the .UNX file extension and allow connections to multiple data sources.

The universe designer is still there. Renamed as universe design tool, it allows creating single data source universes (.UNV file extension) as before.

Conversion of previous universe .unv versions is supported only for relational universes created in previous universe designer versions and not possible for OLAP universes or universes based on stored procedures or Data Federator data source.

No authentication is required to start the information design tool. Users can create and edit unsecured resources (data foundations, business layers, connections) in local projects and publish them to the repository to make them secure.

Connections to relational data sources, OLAP data sources as well as SAP NetWeaver BEx query can be created, be local (saved locally as .cnx files) or secured (stored in the repository).

The newly named “Data foundations” are analogous to the schema browsers in Universe Designer. They contain the schema of relevant tables and joins from one or more relational databases that are used as a basis for one or more business layers.

The business layer is the universe metadata. Depending on the type of data source for the business layer, several types of objects e.g. folders, dimensions, analysis dimensions, measures, attributes, filters, hierarchies (OLAP only) can be created and edited in the business layer.

Search - enhancements include a new enhanced search engine allowing search by document attributes as well as content. Search results can be filtered and refined easily and the search GUI is integrated in the BI launch pad

There are also enhanced options through the OpenSearch API which enables integration with other search systems like Google Search Appliance, Microsoft SharePoint portal and NetWeaver Enterprise Search.

BI Portal - includes a new look re-designed web portal (InfoView) now called the BI LaunchPad providing a rich new user experience. It provides quick and easy access to BI applications and search, a handy list of recently used reports, scheduled documents, alerts etc., multiple tabs and pinning options, and a reduction in the manual steps for common tasks like:

§  Ability to create new folder while Saving

§  Schedule and Send To actions in Document viewers

§  Auto-refresh in History page

Alerting, Monitoring & Auditing - The alerting framework allows triggering of alerts based on events (schedule completion, ETL completion, system monitoring etc.) or data conditions as also reactions to those events e.g. scheduling report to run or send notification message. Subscription to alerts is made easier with a consistent workflow, allowing notification emails or messages in the BI Launch Pad.

New monitoring applications are available to keep tabs on system health and performance (server metrics, custom probes, user-defined watch conditions, visualization dashboard in CMC) and integrate with infrastructure monitoring tools like Tivoli and SAP Solution Manager.

Auditing enhancements include simplified system wide configuration, auto-purging of old data and an enhanced audit store schema which simplifies reporting and application development.

Lifecycle Management - The LCM console replaces the import wizard. It allows connection override in bulk mode automatically, supports version control and rollback, is audit-able and provides scripting facility.

Upgrades and deployments - A new optimized upgrade management tool is provided, combining the best of Import Wizard and Database Migration tool in XI 3.x. This caters to one-click full upgrade or selective incremental upgrades, allowing direct upgrade from XI R2 SP2 or later. There’s enhanced scalability in deployment with virtualization and 64-bit support.

Sneak preview demo of SAP BusinessObjects 4.0:



PS: Please feel free to share your views. Also, if you have some information that you want to share or want to know something more, please leave your comments.