This post is more than 5 years old
1 Rookie
•
63 Posts
1
3053
SCA and LDAP, anyone get this to work?
Having a heck of a time getting LDAP authentication to work in SCA. My settings match what is listed in primus emc265179, example listed below.
But I cannot login with Windows domain account. If anyone else has this working correctly, would appreciate some feedback on what your config looks like for this. Thanks
From primus emc265179:
Example LDAP DB query for user “doej”
C:\WINDOWS>dsquery user –d emc.com –name doe*
C:\WINDOWS>dsquery user -name doej | dsget user -dn -samid –upn
Resulting Ionix SCA LDAP configuration dialog settings for user “doej”
Domain Name=emc
Server: LDAPSERVER-01.emc.com
LDAP Port: 389
Base Domain Name: DC=emc,DC=com
Pattern : CN=doej,OU=Users,OU=North America
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
1
November 9th, 2012 10:00
Hernan,
Please excuse my previous response. It has been a little while since I have executed this procedure with multiple users, so I went into the lab and tested it again.
It appears we are in fact REQUIRED to add each UNIQUE user pattern to the LDAP Configuration screen for authentication.
So my pattern view has each user pattern separated by a END OF LINE carriage return;
<%PATTERN_0%>
<%PATTERN_1%>
<%PATTERN_2%>
<%PATTERN_3%>
In this case, you should be bale to copy the current line and a paste in the subsequent entries and only have to change a few unique values for each user and hitting enter at he end of each line as you paste.
I apologize for the initial false data, but this updated content should correct the issue,
-Ryan
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
1
October 23rd, 2012 10:00
Hello Hernan,
Let me see if I can assist clear up some of the issues you are having. There are few items which I think a step by step example may assist in this configuration, which follows below;
We have user named Ginger Bread who assigned/created in the domain “tse” within the larger domain “emc.com”. When Ginger logs in he does so by inserting the domain\username, which in this case is “tse\breadg”. Based on this detail we can confirm the base domain for Ginger is “tse.emc.com”.
The “dsquery” results form a string that corresponds to the users location in the LDAP tree, for Ginger his results are;
CN=Bread\, Ginger,OU=Technical Support,OU=AK Anchorage, OU=US TSE,DC=tse,DC=emc,DC=com
Now we can translate this to the SCA LDAP configuration, which I suggest typing the “Pattern” in backwards (right to left), because once the values run out of the view we can no longer see them.
To leverage Ginger Bread’s LDAP credentials for the domain we will setup the Manage Authentication view as follows;
Domain Name: tse
Server: FQDN OR IP of LDAP Server
LDAP Port: Port being used for LDAP
Base Domain: DC=tse,DC=emc,DC=com
Patterns: CN=Bread\, Ginger,OU=Technical Support,OU=AK Anchorage, OU=US TSE
NOTES:
I hope this helps you and others setup SCA LDAP authentication and if there are any questions/comments please post back or possibly open an SR if you feel that this needs further investigation.
Cheers,
-RyanT
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
November 9th, 2012 09:00
Hi Hernan,
You will not be required to add a new entry LDAP Pattern for each additional user. SCA will leverage the current parameters in the LDAP configuration to search out and authenticate the next 6 users you create.
Just add a new user and change the authentication to LDAP and proceed.This should allow all your users to login successfully.
Let us know what you find,
-Ryan
hernster
1 Rookie
1 Rookie
•
63 Posts
0
November 9th, 2012 09:00
Thanks for the feedback. OK, your example works well, HOWEVER...
If I add another user directly under the first, working/authenticated in SCA, SCA/LDAP authentication fails.
(I need to add 6 users altogether, and yes I have added the users in SCA and chose LDAP auth.)
I've tried using comma and semicolon, and without either, to separate the users, but that does not work either. WHAT AM I MISSING HERE?
Example:
Single user setup such as this works!
CN=UserA,OU=Users,OU=NJ
Add a second user, like below, SCA/LDAP authentication breaks, cannot login!
CN=UserA,OU=Users,OU=NJ
CN=UserB,OU=Users,OU=NJ
CN=UserA,OU=Technical Support,OU=AK Anchorage, OU=US TSE
CN=UserB,OU=Technical Support,OU=AK Anchorage, OU=US TSE
hernster
1 Rookie
1 Rookie
•
63 Posts
0
November 9th, 2012 13:00
Ryan,
Thanks for the clarification. I do believe the carriage return was my issue, so for anyone else having issues, BE VERY CAREFUL with any spaces you can't see when configuring LDAP in SCA, within ALL of the fields of Manage Authentication dialog box.
I have tested with myself and another user, and we can both login successfully with our domain (LDAP) accounts. I will add the other users, very carefully.
Finally, are we limited to only ONE domain? For example, in my case most users are in our North America child domain. Can users in our Europe child domain also use this SCA instance? The Manage Authentication config page appears to allow only 1 domain.
Thanks again,
manni1
1 Rookie
1 Rookie
•
8 Posts
1
November 20th, 2012 00:00
Be aware and carefully also with this implemenation of LDAP authentication.
When an user try to login the SCA starts from begin of the user list to the end until it gets an successfull login to the LDAP server.
If you use some password security on the LDAP server like account lockout it will increase the counter for each user until SCA hit the correct user.
If you login 3 times (as example if you have lockout account after 3 atempts) into SCA and the other users are on vacation or didn't login into LDAP during the time you login into SCA to reset the counter they account will get locked.
The whole SCA seems not to be in a public state and is not well designed or developed even if the idea behind will be fine.