Environment
Novell SecureLogin
NetIQ SecureLogin
NSL6.x
NSL7.x
NetIQ SecureLogin
NSL6.x
NSL7.x
Situation
Slow LDAP Logins
LDAP lookup with SecureLogin takes too long
LDAP lookup with SecureLogin takes too long
Resolution
Make sure the workstation is running NSL7.0.3 HF3 or later. Fixes were made post NSL7sp3 that improve LDAP performance with SecureLogin. Beyond that, consider the following to minimize LDPA search time.
Solution 1 (preferred)
Limit SecureLogin's LDAP lookup by eliminate wild card searches, and defining search attributes and / or search containers. (See sections 1.9 and 1.10 of TID 3790292 for more on seach attributes and contexts.) Experiment with the following registry keys to see which work best in your environment:
Limit SecureLogin's LDAP lookup by eliminate wild card searches, and defining search attributes and / or search containers. (See sections 1.9 and 1.10 of TID 3790292 for more on seach attributes and contexts.) Experiment with the following registry keys to see which work best in your environment:
1. Exclude the wild card search by adding the following registry entry under
HKLM\Software\Novell\Login\LDAP
"DoNotUseWildCardinSearch" - REG_DWORD - 1.
"DoNotUseWildCardinSearch" - REG_DWORD - 1.
2. Add search parameters with following 3 registry values under
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch]
"ContextBasedSearch" DWORD = 1 -------> This enables the context search.
"Context1" REG_SZ = "O=Whatever"
"Context2" REG_SZ = "OU=something,O=Whatever"
“Context3” ----> continue listing as many contexts as are desired, but to minimize search time list only what is needed.
"SearchAttributes" REG_SZ = cn
Note: any publicly readable attribute can be specified as a search attribute, for example "fullName", "givenName", "sn", "cn", "uid", separated by commas. To minimize search time, however, list as few attributes as are absolutely needed.
Also note that you do not need to provide " " while specifying the attribute entries.
Solution 2
Login with user's fully qualified distinguished name (fullDN ).
When logging in with the fullDN, (e.g. "cn=user1,ou=something,o=Whatever") SecureLogin does not need to search for the user; it is already fully defined.
Solution 3
Rename or delete the registry entry:
"HKLM\Software\Novell\Graphical Login\NWLGE\Protocom-Slinac\LoginExtName"
This will be pointing to SLINAC.DLL (or SLINAC64.DLL).