Use the SAP Mobile Platform
administration perspective to configure LDAP authentication
providers, which are used to locate LDAP user information when organizational user groups
exist within multiple LDAP trees.
To accommodate an LDAP tree structure that cannot be directly accessed
using one search base:
- Create an LDAP authentication provider for each level in the hierarchy – during the
authentication process, SAP Mobile Platform tries to
authenticate against every authentication provider in the ordered list until
authentication succeeds or until it reaches the end of the list. Depending on
the number of authentication providers you configure, this approach may have
some performance issues.
- Use different AuthenticationScopes for performing user searches –
specify the root node of a particular LDAP tree, by entering AuthenticationSearchBase=”dc=sap,
dc=com” and set Scope=subtree.
SAP Mobile Platform performs an LDAP
query against the entire subtree for authentication
Depending on the number of AuthenticationScope within the LDAP tree structure,
this approach can have performance implications.
- If multiple servers are clustered together to form a large logical directory tree, configure the
Directory Service (LDAP/AD) provider by setting the Referral
property to follow.
- If a user has been made a member of too many LDAP groups and
appears in too many rows, performance may be impacted. If the security profile
does not require any role mapping, the role lookup becomes unnecessary and can
the SkipRoleLookup property to true to eliminate the need to
search all the roles defined in the role search base. This mainly applies to
security profiles for applications, but not the Admin security profile.