Introduction
Secure Global Desktop is rather liberal in the attributes it tests for when using an LDAP Directory Service as a login authority. By default, SGD checks the supplied login name against the attributes:
cn, uid, mail, userPrincipalName, sAMAccountName
In other words, a user logging into SGD may provide any of these attributes in the logon box, and be successfully authenticated. This provides a lot of flexibility, but at the expense of additional overhead in repetitive calls to your Directory Service. By limiting users to using a smaller set of schema attributes as their login name, you can reduce this set of attributes searched, and this improve login performance.
Note that this only applies to the LDAP Login Authority (and web authentication when searching LDAP for a matching profile) ; when using the Active Directory login authority, only userPrincipalName is searched.
(Not to add to the confusion; but you can define use the LDAP login authority which resolves to an Active Directory domain controller; in this case, SGD will treat the directory service as an LDAP Server.)
Procedure
1. Define which of the attributes you wish to use for logging into SGD. For example, mail and cn.
# tarantella stop
# tarantella config edit --searchldapla.properties-searchAttributes mail cn
# tarantella start
2. If you're using Web Server authentication with a "Search LDAP Repository" strategy defined, there's a similar search performed, and can similarly be edited to improve performance (in this case, three attributes are searched by default; cn, uid, and mail.) It's best if the two bean properties are kept in sync. For example:
# tarantella stop
# tarantella config edit --thirdpartyldaploginauthority.properties-searchAttributes mail cn
# tarantella config edit --searchldapla.properties-searchAttributes mail cn
# tarantella start
/
Sign up or Log in to add a comment or watch this page.