Use the SAP Mobile Platform
administration perspective to configure LDAP authentication
providers, which are used to locate LDAP user information when organizational user groups
exist within multiple LDAP trees.
To accommodate an LDAP tree structure that cannot be directly accessed
using one search base:
- Create an LDAP authentication module for each level in the
hierarchy – during the authentication process, SAP Mobile Platform tries to authenticate against every
authentication provider in the ordered list until authentication succeeds or
until it reaches the end of the list. Depending on the number of authentication
providers you configure, this approach may have some performance issues.
- Use different AuthenticationScopes for performing user searches –
specify the root node of a particular LDAP tree, by entering AuthenticationSearchBase=”dc=sap,
dc=com” and set Scope=subtree.
SAP Mobile Platform performs an LDAP
query against the entire subtree for authentication
information.
Depending on the number of AuthenticationScope within the LDAP tree structure,
this approach can have performance implications.
- If multiple servers are clustered together to form a large
logical directory tree, configure the Directory Service
(LDAP/AD)
by setting the Referral property to follow.
- If a user has been made a member of too many LDAP groups and
appears in too many rows, performance may be impacted. If the security profile
does not require any role mapping, the role lookup becomes unnecessary and can
be avoided.
Set
the SkipRoleLookup property to true to eliminate the need to
search all the roles defined in the role search base. This mainly applies to
security profiles for applications, but not the Admin security profile.