Cognos BI is using LDAP groups for authorizations. Drastic performance problem.

[abcuser]

Hi,
in our enterprise we use Apache LDAP v3 compatible server with Cognos BI 10.2.1 fixpack 10.

I. Users are stored in LDAP path:
cn=users,ou=entries

Sample for Bob:
uid=bob,cn=users,ou=entries

II. Cognos groups authorizations are stored in:
ou=cognos,ou=servers,ou=groups,ou=entries

Samples for cube1 to cube20 authorization:
cn=cube1,ou=cognos,ou=servers,ou=groups,ou=entries
cn=cube2,ou=cognos,ou=servers,ou=groups,ou=entries
cn=cube3,ou=cognos,ou=servers,ou=groups,ou=entries
etc.
cn=cube20,ou=cognos,ou=servers,ou=groups,ou=entries

III. Common user and group path to set Base Distinguished Name is only:
ou=entries

IV.
In Cognos group (see above) user have 20 groups. But in whole LDAP particular user has hundreds of authorizations which are completely unrelated to Cognos. This authorizations are in different path like:
cn=some_other_group,ou=some_other_service,ou=groups,ou=entries
Common to Cognos is first path: ou=groups,ou=entries (I don't think this is really important, just telling how the LDAP structure is).

When user with only Cognos authorizations login into Cognos BI using web browser it takes 17 seconds to login.
When user with Cognos authorizations and plenty of other authorizations log in into Cognos BI it takes up to more then a minute (I was required to enlarge TimeOut Apache http server parameter which is by default set to 60 seconds, because some end-users having plenty of authorizations got Gateway TimeOut error).

I have monitored the network traffic between Cognos BI and LDAP and I see Cognos is working in the following way:
1. Userid and password checked. It takes fraction of the second to get response from LDAP.
2. Cognos BI requests authorizations with Base Distinguished Name as starting point so it outputs hundreds of authorizations not related to Cognos. But whole process takes surprisingly less then a second. But this steps already has hundreds of authorizations groups NOT related to Cognos.
3. Now to me completely illogical is this final step. For each of the group returned in step 2 (you remember it can have hundred of groups) the following query is executed:
   (&(objectclass=groupofuniquenames)(uniquemember=cn=some_group,ou=some_subgroup,ou=groups,ou=entries))
   and LDAP returns: searchResDone(84) success [0 result].
   Where (84) is the sequential number for current group from step 2. Each of this query in step 3 takes half a second, because there are 84 queries it takes 42 seconds of total waste of time.

Questions:
a) Why is step 3 even needed? I think steps 1 and 2 are all what Cognos really needs to get authentication and authorization groups. In this case whole login process would take like a second or maybe little more. It is not a problem if takes like 3 to 5 seconds, but no more.
b) Is there a way to limit Cognos BI group search to only ou=cognos,ou=servers,ou=groups,ou=entries where in our case are Cognos groups saved (I am targeting to reduce the number of groups I get returned from Cognos - step 2 above)? For illustration IBM DB2 relation database using LDAP login it has GROUP_BASEDN setting to set where should groups be searched from. I can't find such a setting in Cognos, is it? If this settings is available in Cognos I would set it to II. setting above.
c) Is there any other way to DRAMATICALLY increase Cognos login process? End-users are killing me with this unacceptable long login time.

Regards

[Invisi]

My guess is that you can best ask this question primarily to an LDAP expert. I have fiddled around with Cognos on LDAP a long time ago and that went quite well. It's really long ago though, so I can't help you out. I think it may be something in your group structure in LDAP?

[MikeD_AZ]

Did you ever find any solution to this. We are experiencing something very similar and I'm trying to identify a solution.