Use the SAP Mobile Platform administration perspective
to configure LDAP authentication and authorization security providers, which are used to
locate LDAP user information when organizational user groups exist within multiple LDAP
trees.
To accommodate an LDAP tree structure that cannot be directly accessed
using one search base:
- Create an LDAP authentication module for each level in the
hierarchy – during the authentication process,
SAP Mobile Platform tries to authenticate against every
login module in the ordered list until authentication succeeds or until it
reaches the end of the list. Depending on the number of login modules you
configure, this approach may have some performance issues.
- Use different AuthenticationScopes for performing user searches –
specify the root node of a particular LDAP tree, by entering
AuthenticationSearchBase=”dc=sybase, dc=com” and
set Scope=subtree. SAP Mobile Platform
performs an LDAP query against the entire subtree for authentication and
authorization information. Depending on the number of AuthenticationScope within
the LDAP tree structure, this approach can have performance implications.
- If multiple servers are clustered together to form a large
logical directory tree, configure the LDAPLoginModule by setting the
Referral property to follow.
- If subjects have been made members of too many LDAP groups and
the search for physical roles results in too many results, the maximum result
limit may be reached and authentication fails. To avoid this, narrow the
RoleSearchBase to LDAP groups that are relevant only to
SAP Mobile Platform. SAP also
recommends setting the SkipRoleLookup property to true to
eliminate the need to search all the roles defined in the role search base.