Prevent automated LDAP based user creation in Performance Management
search cancel

Prevent automated LDAP based user creation in Performance Management


Article ID: 206805


Updated On:


CA Performance Management - Usage and Administration DX NetOps


Today when I logged in to create a new userid, I noticed a few user ids with the description "User account created automatically on <DATE>".  How can I find out what process is creating these userids automatically?

Some of the ids created automatically should not have access to Performance Center.

How can we prevent automated user creation via the LDAP integration for SSO in DX NetOps Performance Management Performance Center.


All supported DX NetOps Performance Management releases


Without knowledge of the specific LDAP Groups users belong to, with an LDAP configuration allowing ANY user to gain access, we require a method to limit user access to Performance Center.


In this scenario the LDAP integration is configured to allow any LDAP user access to Performance Center. The specific LDAP Directories or Groups the users exist in, in order to limit the user access to those Directories or Groups, are not known.

To address this we set the 'Account User Default Clone' value (DB value LdapAccountUserDefaultClone) to '{SAMAccountname}'. When doing so the configuration expects a user already created in the system whose name matches the LDAP users user name.

If it finds no matching user name, the access will be rejected.

In this way any user seeking access would need to first engage the Performance Management admins. The admins would create the user for access if approved. The next time the user logs in they'll be successful using their LDAP based user name and password.

The change is made using the SsoConfig tool on the Performance Center in a CLI via a terminal. To do so:

  1. Go to the (default path) /opt/CA/PerformanceCenter directory.
  2. Run the command:
    • ./SsoConfig
  3. Choose option 1 for "Performance Center" or "DX NetOps" (which ever is presented depending on release running)
  4. Choose option 1 for 'LDAP Authentication'.
  5. Choose option 1 for 'Remote Value'.
  6. Choose property 9 for 'Account User Default Clone'.
  7. Enter u and to update to a new value.
  8. Enter the new value:
    • {SAMAccountname}
  9. Confirm the new value is set when the updated configuration list is returned.
  10. Restart the SSO (caperfcenter_sso) and Performance Center console (caperfcenter_console) services for the new value to be read in to the system.

NOTE: Ensure there isn't a different value set in option 2 Local Override. If one is present remove it (reset 'r' option) or set it (update 'u' option) to the same value set in Remote Value.

Additional Information

Stop Services:

  • Console first:
    • systemctl stop caperfcenter_console
  • SSO service next:
    • systemctl stop caperfcenter_sso

Start Services:

  • SSO first:
    • systemctl start caperfcenter_sso
  • Console service next:
    • systemctl start caperfcenter_console