User authentication with multiple LDAP Groups
search cancel

User authentication with multiple LDAP Groups

book

Article ID: 103251

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

The Single Sign-On authentication feature in CA Performance Center (CAPC) provides Lightweight Directory Access Protocol (LDAP) integration, which allows users to authenticate to an LDAP server. Once authenticated, these users are mapped to a predefined or a custom user account specified by the administrator.

Lets assume in an environment there are multiple LDAP Groups created - for example: NetworkAdmin, SysAdmins and OperatorAdmin.
And those groups have different roles:
NetworkAdmin = admin
SysAdmins = engineer
OperatorAdmin = operator

If a user is member of two of these groups, e.g. NetworkAdmin and SysAdmins, what role will it get - admin or engineer?
Will the search get the profile on the first group found in the LDAP Group configuration, and if found there, stop searching for other groups?

For example, if LDAP configuration have the following parameters set for option "10. Group" when running the './SsoConfig' command:
.... 
<LDAPGroups>
<Group searchTag="memberOf" searchString=" CN=NetworkAdmin,OU=Groups,OU=North America,DC=abcd,DC=com" user="{sAMAccountName}" passwd="" userClone="nadmin"/>
<Group searchTag="memberOf" searchString=" CN=SysAdmins,OU=Groups,OU=North America,DC=abcd,DC=com" user="{sAMAccountName}" passwd="" userClone="sysadmin"/>

</LDAPGroups>
....

and a user is member of both 'NetworkAdmin' and 'SysAdmins' groups, when this user logs in to CA Performance Center, from which of these groups will it get its profile?   

Environment

CA Performance Center 

Resolution

For LDAP Groups authentication, when a user is member of more than one group, the search is made on a first one found wins basis.
It will get the profile from the first group found in the LDAP Group configuration, and stop searching for other groups in the list.
So, we will need to put the groups in the order we want them to be processed and users get their roles. 

In the given example, the user will get it's profile from the 'NetworkAdmin' group, which is the first found in the LDAP configuration.

Additional Information

Note: When using this procedure option "9 in the SooConfig  "Account User Default Clone:" must be blank. 

Example:

9. Account User Default Clone:



More details on LDAP configuration are available in the CA Performance Management documentation:

Set Up LDAP Authentication