Configuration Best Practices for Multiple LDAP Trees

Use the SAP Mobile Platform administration perspective to configure LDAP authentication providers, which are used to locate LDAP user information when organizational user groups exist within multiple LDAP trees.

To accommodate an LDAP tree structure that cannot be directly accessed using one search base:
  • Create an LDAP authentication provider for each level in the hierarchy – during the authentication process, SAP Mobile Platform tries to authenticate against every authentication provider in the ordered list until authentication succeeds or until it reaches the end of the list. Depending on the number of authentication providers you configure, this approach may have some performance issues.
  • Use different AuthenticationScopes for performing user searches – specify the root node of a particular LDAP tree, by entering AuthenticationSearchBase=”dc=sap, dc=com” and set Scope=subtree. SAP Mobile Platform performs an LDAP query against the entire subtree for authentication information. Depending on the number of AuthenticationScope within the LDAP tree structure, this approach can have performance implications.
  • If multiple servers are clustered together to form a large logical directory tree, configure the Directory Service (LDAP/AD) provider by setting the Referral property to follow.
  • If a user has been made a member of too many LDAP groups and appears in too many rows, performance may be impacted. If the security profile does not require any role mapping, the role lookup becomes unnecessary and can be avoided. Set the SkipRoleLookup property to true to eliminate the need to search all the roles defined in the role search base. This mainly applies to security profiles for applications, but not the Admin security profile.