Slow LDAP authentication with SecureLogin

  • 7007439
  • 21-May-2012
  • 18-Dec-2012

Environment

Novell SecureLogin
NetIQ SecureLogin
NSL6.x
NSL7.x

Situation

Slow LDAP Logins
LDAP  lookup with SecureLogin takes too long

Resolution

Make sure the workstation is running NSL7.0.3 HF3 or later.  Fixes were made post NSL7sp3 that improve LDAP performance with SecureLogin.  Beyond that, consider the following to minimize LDPA search time. 
 
 
Solution 1 (preferred)
Limit SecureLogin's LDAP lookup by eliminate wild card searches, and d
efining search attributes and / or search containers.  (See sections 1.9 and 1.10 of TID 3790292 for more on seach attributes and contexts.)  Experiment with the following registry keys to see which work best in your environment:
 
1. Exclude the wild card search by adding the following registry entry under
HKLM\Software\Novell\Login\LDAP  
"DoNotUseWildCardinSearch" - REG_DWORD - 1.
2. Add search parameters with  following 3 registry values under
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch]

  "ContextBasedSearch"    DWORD = 1   ------->  This enables the context search.

  "Context1"  REG_SZ =  "O=Whatever"
  "Context2"
  REG_SZ =  "OU=something,O=Whatever"   
  “Context3”  ----> continue listing as many contexts as are desired, but to minimize search time list only what is needed.

"SearchAttributes" REG_SZ = cn  

Note:  any publicly readable attribute can be specified as a search attribute,  for example "fullName", "givenName", "sn", "cn", "uid", separated by commas.  To minimize search time, however,  list as few attributes as are absolutely needed.

Also note that you do not need to provide " " while specifying the attribute entries.


Solution 2
Login with user's fully qualified distinguished name (fullDN ).

When logging in with the fullDN, (e.g. "cn=user1,ou=something,o=Whatever") SecureLogin does not need to search for the user;  it is already fully defined. 
 
Solution 3
Rename or delete the registry entry:
"HKLM\Software\Novell\Graphical Login\NWLGE\Protocom-Slinac\LoginExtName"
This will be pointing to SLINAC.DLL (or SLINAC64.DLL).