http://www.wikio.fr WebSphere And Tivoli Tricks: My users authenticate with one userid but I want them to be identified with another ID from LDAP. Is that possible?

Monday, January 10, 2011

My users authenticate with one userid but I want them to be identified with another ID from LDAP. Is that possible?

There is a way to configure WebSphere Application Server to do just that. This assumes that the LDAP entry for each user has an attribute containing a string that can be used for the second userid. For example, let's call this attribute myname. Let's also assume the userid used for authentication is contained in an LDAP attribute called uid.


In the WebSphere Application Server LDAP configuration (from the administrative console, click Security > User Registries > LDAP > Advanced LDAP Settings), modify the User ID map field from *:uid to *:myname . This basically tells WebSphere Application Server to set the J2EE principal that is returned to the application to the value of the myname LDAP attribute. Normally, WebSphere Application Server would return the same userid that was used to logon.

As an example, assume that a user's LDAP entry has the following attribute/value pairs: uid=dale.sue.ping, myname=sueping.

With the above WebSphere Application Server LDAP configuration change, the user would logon with a userid of dale.sue.ping, authenticate with WebSphere Application Server/LDAP and, on a successful authentication, WebSphere Application Server will set the J2EE principal to sueping.

If the application has the capability to extract the J2EE principal, the application will see the user as "sueping" and not as "dale.sue.ping."
Publié par neo à l'adresse 2:29 PM

2 comments:

  1. AnonymousApril 18, 2011 at 7:47 AM

    Hello neo. I have the following situation: in the corporate new LDAP, uid is multi-valued, how can I tell WAS to take one of the two values in the attribute? By default WAS takes the first in attibute order.

    Ej. we have in the same entry uid=SCDIT38, uid=23456756 (being the first the Intranet User and the second the Employee Number)

    Thank you.

    ReplyDelete
  2. neoApril 19, 2011 at 8:36 AM

    To enforce global security in a WAS environment, contact the LDAP administration team to get the actual composition of a user's Distinguished Name (DN) in the LDAP directory system. The DN uniquely identifies a user's record in the directory. This DN , is most probably using the first attribute (SCDIT38) for all the users. An example is below. (CN=Common Name which is mapped to one of the UIDs)

    CN=SCDIT38,OU=xxxxx,DC=yyy,DC=zzz

    It sounds like, you may want to suggest to the LDAP team, to assign CN to the 2nd UID. With the new DN, you will need to reconfigure the WAS system's security.

    ReplyDelete

Subscribe to: Post Comments (Atom)