Notes/Domino 6 and 7 Forum

Notes/Domino 6 and 7 Forum





Authenticate via LDAP and AD - slow after extending schema on AD
~Samuel Frogerosongon 01/28/2004 01:18 AM
Domino Server 6.0.3 Windows 2000


I'm working on setting our web server to authenticate our employees via LDAP provided by Active Directory. So far it's working great - I can log in with my AD user ID and password, and AD passes back the name in AD that matches what I have in Domino.

Therein lies the problem. Everyone's name in Domino is composed of their preferred first name (e.g., Greg instead of Gregory), their middle initial, and their last name. This is how our 'name' is in Domino and in our HR system, but not in Active Directory. I got around this by having our AD admin add my 'HR name' to an additional field in AD, extensionAttribute2. AD returns this name just fine, as it is set up in Directory Assistance. However, if I use this field in a custom authentication filter, the web site is incredibly slow. If I don't use this in the authentication filter, but still have it as the 'Attribute to be used as Notes Distinguished Name', the web site loads at normal speed. In order to accomodate the different names, and the way people typically log in, I have the following Custom authentication formula:

(|(cn=%*)(extensionAttribute2=%*)(sAMAccountName=%*))

If I leave out extensionAttribute2, it runs great, if I leave it in, even if it's the only item in that formula (e.g., (extensionAttribute2=%*) ), the site runs incredibly slow.

In SQL parlance, I would have them index that field on the AD side, but I don't think there's any way to do that directly. Is there some other setting for AD to 'speed up' that attribute?

Go back