Limit automatic user account creation with LDAP SSO in Performance Managmement
search cancel

Limit automatic user account creation with LDAP SSO in Performance Managmement

book

Article ID: 71412

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration

Issue/Introduction

When using LDAP, how can it be configured to prevent user accounts from being automatically created when attempting to log in?

We have tried to leave the Account User Default Clone blank but this result in the error when testing LDAP login in SsoConfig

"Error:

Cannot proceed with authentication because: accountUserClone is blank"

Environment

All supported Performance Management releases

Cause

The Account User Default Clone field is a required setting.

Resolution

When configuring LDAP set the "Account User Default Clone" user to the same value set for the "Account User" field.

Normally in most common AD based LDAP implementations the value used might be:

  • Account User: {sAMAccountName}
  • Account User Default Clone: {sAMAccountName}

By doing this if a user tries to login it will fail if they don't already have an account set up.

To allow that user to login, a Performance Management (PM) administrator must create an account for the user with a user name that is the same as the user's network username coming from LDAP.

The new user created must have an "Authentication Type" of "External".

Once this is done the user will be able to successfully login with their network credentials.

This is a best practice settings change you can follow if you wish to control who can log into PM.

Additional Information

An alternative is the use of the Groups config for LDAP. This requires Groups being configured in LDAP AD with only the users that will have PM access. That way they must be a member of that LDAP group before able to gain access to PM.