User Authentication - Converting internal security to external - Backout not working, wipes out pwds
Article ID: 115408
Updated On:
Products
CA Harvest Software Change Manager - OpenMake Meister
Issue/Introduction
After converting from internal security to external security, if things go bad, if I revert it to internal security, the with the script, its not working.
To convert Internal Security to External Security
%CA_SCM_HOME%\husrmgr -b <brokername> -usr <userid> -ow -ae="Y" userlist.txt
Backout Plan - To convert back to Internal Security
%CA_SCM_HOME%\husrmgr -b <brokername> -usr <userid> -ow -ae="N" ad-users.txt --------- This is not working.... It complains that password needs to be provided.
Why is this?
To convert Internal Security to External Security
%CA_SCM_HOME%\husrmgr -b <brokername> -usr <userid> -ow -ae="Y" userlist.txt
Backout Plan - To convert back to Internal Security
%CA_SCM_HOME%\husrmgr -b <brokername> -usr <userid> -ow -ae="N" ad-users.txt --------- This is not working.... It complains that password needs to be provided.
Why is this?
Environment
CA Harvest SCM all versions and platforms
Resolution
1. Why is the husrmgr utility asking to update user passwrods when switching from external authentication to internal authentication (-ae="N")?
When you switch a user from internal authentication to LDAP authentication, the password is no longer maintained within the SCM database. Since users under internal authentication rules must have a password, the husrmgr utility is assuming this information needs to be updated.
2. How do i effectively backout without any outage?
- One possibility is to set a default password and enable the feature that would force each user to change their password when logging on for the next time. The risk with this plan is that another user could could guess the default password and gain access to Harvest that way.
- Another possibility would be to backup the table in the Harvest database containing the user passwords and the flag that indicates whether the user is internally authenticated or externally authenticated. You could then restore that table from the backup if the switch to LDAP authentication had to be backed out. The one challenge with this approach is that it is an all-or-nothing change. You would not be able to back-out this change for some users but not for others.
3. Is there a table that I can back up or download the data?
The HARUSERDATA table would be the one to use for backup and restore.
4. How soon I can revert it back to Internal Security?
You should restore the table and revert back as soon as possible after the back out decision is made.
When you switch a user from internal authentication to LDAP authentication, the password is no longer maintained within the SCM database. Since users under internal authentication rules must have a password, the husrmgr utility is assuming this information needs to be updated.
2. How do i effectively backout without any outage?
- One possibility is to set a default password and enable the feature that would force each user to change their password when logging on for the next time. The risk with this plan is that another user could could guess the default password and gain access to Harvest that way.
- Another possibility would be to backup the table in the Harvest database containing the user passwords and the flag that indicates whether the user is internally authenticated or externally authenticated. You could then restore that table from the backup if the switch to LDAP authentication had to be backed out. The one challenge with this approach is that it is an all-or-nothing change. You would not be able to back-out this change for some users but not for others.
3. Is there a table that I can back up or download the data?
The HARUSERDATA table would be the one to use for backup and restore.
4. How soon I can revert it back to Internal Security?
You should restore the table and revert back as soon as possible after the back out decision is made.
Feedback
Yes
No
Powered by
