Tuesday Jan 08, 2008

Speeding up LDAP queries when using Web Authentication

Some time back we discussed how to speed up LDAP authentication when logging into SGD. In this tip, we simply recommended reducing the user attributes that we search in order to authenticate a user given the provided credentials.

Well, nice tip as it was, it only works when you are logging in directly to SGD (using built-in authentication) and doesn't help if you are using Web Server Authentication. e.g. you're using something to protect the /sgd URI for example, a simple mechanism like Apache basic http authentication (.htaccess), or something powerful like Sun's Java System Access Manager to protect access to the /sgd URI.

If you're doing this, you need to configure an additional bean in the SGD system. And, to preserve your sanity, Fat Bloke recommends always keeping them in step by configuring them together:

/opt/tarantella/bin/tarantella stop
/opt/tarantella/bin/tarantella config edit --thirdpartyldaploginauthority.properties-searchAttributes cn mail
/opt/tarantella/bin/tarantella config edit --searchldapla.properties-searchAttributes cn mail
/opt/tarantella/bin/tarantella start

Sorry not to have mentioned this earlier ;-)

-FB

Friday Jul 06, 2007

Command line configuration of the array

Just as the command line equivalents of Object Manager are ...

/opt/tarantella/bin/tarantella object ...
... the command line equivalent of the Array Manager is the family of ...
/opt/tarantella/bin/tarantella config ...
commands which control the configuration of the SGD server itself.

One of the most common things FB does after a clean install of an SGD server, is to configure the array to use LDAP authentication against the corporate directory. And with the command line, this is as simple as these 2 commands:

/opt/tarantella/bin/tarantella config edit --login-ldap-url "ldap://sun-ds.uk.sun.com/ou=people,dc=sun,dc=com"
/opt/tarantella/bin/tarantella config edit --login-ldap 1

The first command informs SGD of which Directory Service to use, and the second simply enables the LDAP login authority. Simple eh? Some may say that FB could be replaced by a script one day :-)

-FB

Wednesday Apr 18, 2007

Speeding up LDAP authentication

Lots of people use SGD with Directory Servers and it's easy to setup.
In the Array Manager simply enable the LDAP login authority and point SGD at the Directory Server.
Here's an example:

Now out of the box the LDAP login authority is very thorough in checking the supplied username against all of these searchAttributes:
{ cn, uid, mail, userPrincipalName, sAMAccountName }

And so for large directories this may take some time and lead to a slow login process.

So here's a tip:
Trim the list of search attributes down to say { cn, mail }.
The command to do this is:

/opt/tarantella/bin/tarantella config edit --searchldapla.properties-searchAttributes cn mail

Hopefully you'll see that this makes searches much faster and consequently the login process too.

-FB

About

Fat Bloke

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today