CAUSE
Workflow of BusinessObjects to query LDAP users:
1. User enters their credentials and chooses LDAP (or SSO login brings user in via LDAP)
2. BO queries LDAP with a UniqueMember query at BASE DN (o=companyname, c=us)
NOTE: No matter how detailed you set the Base DN in the CMC, it will only use these two fields (o=companyname, c=us) to base the query on.
3. User may exist in one or more groups, for a large LDAP (this query may take up to 30 sec)
4. A complete list of all groups where user exists in LDAP is returned and compared to list of groups mapped in the CMC. (approximately 2 sec)
5. User is matched with mapped group and allowed access to InfoView ( < 5 seconds)
The bottleneck here is the query that BO sends to the LDAP server to find the user.
SOLUTION
WARNING: You need to modify registry on your server(s) to fix this. Take backups of your registry keys before proceeding.
XI 3.X
Windows:
1. Open regedit on your Windows Server using Start>>Run.
2. Navigate to the following key in your registry.
a. (64Bit Server) [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Business Objects\Suite 12.0\Enterprise\Auth Plugins\secLDAP]
b. (32Bit Server) [HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\Enterprise\Auth Plugins\secLDAP]
3. Create or edit the following STRING values in the above registry key (The entry is case sensitive so you need to be very careful).
a. GroupBaseDNs (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)
NOTE: You can get this from your LDAP administrator.
b. GroupFilter (Set the value to true)
4. You may want to export the key to a .reg file that you can simply double-click on with your other servers in the cluster/enterprise.
5. After making the changes, you will need to restart the SIA (Server Intelligence Agent) on each server to complete the changes.
6. Test the LDAP authentication by logging in to InfoView.
UNIX:
1. Navigate to $BOBJEDIR/data/.bobj/registry/software/business objects/suite 12.0/enterprise/auth plugins/secldap/
2. Backup the .registry file and then run 'vi .registry'
3. Add the following entries at the end of the file
a. “GroupBaseDNs”=”” (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)
NOTE: You can get this from your LDAP administrator.
b. “GroupFilter”=”true”
4. Restart the SIA.
5. Test the LDAP authentication by logging in to InfoView.
XI R2
Windows:
NOTE: The functionality of this registry key only exists in FP 2.5 or later.
1. Open regedit on your Windows Server using Start>>Run.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 11.5\Enterprise\Auth Plugins\secLDAP\
3. Create or edit the following STRING values in the above registry key (The entry is case sensitive so you need to be very careful).
a. GroupBaseDNs (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)
NOTE: You can get this from your LDAP administrator.
b. GroupFilter (Set the value to true)
4. You may want to export the key to a .reg file that you can simply double-click on with your other servers in the cluster/enterprise.
5. After making the changes, you will need to restart the SIA (Server Intelligence Agent) on each server to complete the changes.
6. Test the LDAP authentication by logging in to InfoView.
UNIX:
1. Navigate to $BOBJEDIR/data/.bobj/registry/software/business objects/suite 11.5/enterprise/auth plugins/secldap/
2. Backup the .registry file and then run 'vi .registry'
3. Add the following entries at the end of the file:
a. “GroupBaseDNs”=”” (Make this value equal to the base path of where your LDAP query is to begin. i.e. ou={ldaptreelevel},ou={anothertreelevel},ou={groups},o= {companyname}, c=us)
NOTE: You can get this from your LDAP administrator.
b. “GroupFilter”=”true”
4. Restart the SIA.
5. Test the LDAP authentication by logging in to InfoView.
You may also refer to similar SAP KB Articles:
1459328 - Logon to Infoview is slow when using LDAP authentication against large directories
1183138 - How the LDAP plug-in works in manual and automatic refresh in BusinessObjects XI
1200153 - How to Improve LDAP Nested Group Queries by Adding GroupBaseDNs Registry Key
Can you provide the solution in BI4? we are facing the same issue. It takes more than 5 seconds to get the launchpad.
ReplyDeleteHi Sakthi,
DeleteIf the problem is specific o LDAP logins, you may want to add the registry entry to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\SAP BusinessObjects\Suite XI 4.0\Enterprise\Auth Plugins\secLDAP
Let me know how that went. Also, i would like to know if you want me to add something to the blog.
Regards,
Thinker@blogger
Looking for the best CATIA Training in Bangalore, then don't delay join IntelliMindz CATIA Training in Bangalore. Join our CATIA training to get hands-on training and practice in CATIA Software. Any Queries call @ 9655877677. IntelliMindz is the best IT Training Institute in Bangalore with placement, offering 200 and more software courses with 100% Placement Assistance.
DeleteCATIA in Bangalore
CATIA in Chennai
CATIA Online Course