LDAP Question

[rmackenzie]

Hi all - I've been configuring LDAP-based password authentication and am wondering if it can be optimised a little bit and wondered if anyone had a pointer. In tm1s.cfg my LDAP set-up looks like this:

Code: Select all

# LDAP sync
PasswordSource=LDAP
LDAPPort=636
LDAPHost=foo.bar.local
LDAPUseServerAccount=T
LDAPSearchBase=DC=foo,DC=bar,DC=local
LDAPSearchField=sAMAccountName

And that works fine - client names are already sync'd to Windows log-ins and the user now enters their network password to get into TM1. However, It's a bit slow and I think it's maybe related to the LDAPSearchBase setting which is the root of Active Directory and not pointed to look into a particular CN. When I try to setup the parameter like this:

Code: Select all

LDAPSearchBase=CN=TM1 Users,OU=Groups,OU=Other Stuff,DC=foo,DC=bar,DC=local

Then the authentication breaks down and I get an error:

TM1.LDAPAuth LDAP ERROR: 0x22 - search failed

Error 22 is described here as 'The distinguished name has an invalid syntax'. However, I know I've put the syntax in correctly as I've copied it directly from Active Directory. I thought the spaces in the DN might be the issue but I found at least one IBM technote saying that quotes shouldn't be used on this parameter, and trying it anyways didn't make a difference.

Obviously, everything is working fine, so I'm not stuck - but any pointers to speed it up or configuring a better LDAPSearchBase parameter would be appreciated.

Cheers,
Robin

[rozef]

Hi,

you are right, it is slow because of your LDAPSearchBase parameter.
But not because of the syntaxe, if your LDAP link is based on the root, every time a user wants to connect the research of login will browse the whole enterprise directory.
It is usual to make a LDAP link based on a node restricted to TM1 user only, it will be far more faster to connect.
Regarding of the enterprise IT, it is more or less complicated.