Authentication in EEM with a domain forest fails

book

Article ID: 143619

calendar_today

Updated On:

Products

CA Service Catalog CA Service Desk Manager CA Process Automation Base

Issue/Introduction

After linking Embedded Entitlements Manager (EEM) to an external multi-domain Active Directory forest, users with accounts in multiple domains of the forest are unable to log in to applications.

Environment

Release : 4.3

Component : CA Embedded Entitlements Manager

Resolution

EEM requires the user identity it maps to be unique in order to verify authentication and authorization. Without this, users may be tested against the wrong version of the user name when checked - AD cannot guarantee which "version" of the userid will be hit first when searching.

When designing a new environment it is usual to pick the User Name (userid) to be mapped to a unique element like Principal User Name, in order to avoid such problems. However, when an existing environment is moved from a single domain to multiple, this may not be an option - changing every userid in the embedding application, whether Process Automation, Service Catalog or anything else may be difficult or even impossible. So an alternative solution here is to use a custom LDAP Attribute Mapping that filters out any duplicates you have.

LDAP Attribute Mapping is controlled in the EEM UI under Configure > User Store > LDAP Attribute Mapping. Create a new custom mapping based on the one that is otherwise working, and amend both the User Search Filter and User Authentication Filter to one that only sees unique users.

For example, here are the default filters for Microsoft Active Directory:

     User Search Filter : (&(objectClass=user)(!(objectClass=computer)))

     User Authentication Filter : (&(objectClass=user)(!(objectClass=computer))(sAMAccountName=      {UserName}     ))

Typically, there will be an attribute in the directory that distinguishes the "duplicate" users; for example only the "primary" account has a Manager defined. This is then added to the filter, so that neither searches (a lookup of the user) nor authentication (checks of the ID) see two versions:

     User Search Filter : (&(objectClass=user)(manager=*)(!(objectClass=computer)))

     User Authentication Filter : (&(objectClass=user)(manager=*)(!(objectClass=computer))(sAMAccountName=      {UserName}     ))

LDAP query syntax can be quite complex, including Boolean clauses like those above. 

With these changes in place, users will no longer hit the issue of failed login due to duplicate accounts.

Additional Information

EEM Custom Mapped Directory documentation : https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/ca-embedded-entitlements-manager/12-6/configuring/ca-eem-server-user-stores-configuration/reference-from-an-external-ldap-directory/custom-mapped-directory.html

EEM Configure Search Filters documentation : https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/ca-embedded-entitlements-manager/12-6/configuring/ca-eem-server-user-stores-configuration/configure-search-filters.html