Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
340 views

Access Manager v3.1 SP5 2 User Sources


Hi, is it possible to have 2 user sources for Access Manager? I have
read a Novell document that says you can but not how to do it. I want
to have an edirectory and active directory user sources as we have some
users in AD that are not in EDirectory to access sites via Access
Manager.

Thanks for any help


--
tsher1978
------------------------------------------------------------------------
tsher1978's Profile: https://forums.netiq.com/member.php?userid=297
View this thread: https://forums.netiq.com/showthread.php?t=48558

0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources


The documentation says you can do this, but you need to be careful that
each user store contains unique user names.

The way I read your scenario, it's not clear if your AD users are a
superset of your eDirectory users or a totally separate catalogue.

http://tinyurl.com/pn542tx


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
------------------------------------------------------------------------
alexmchugh's Profile: https://forums.netiq.com/member.php?userid=461
View this thread: https://forums.netiq.com/showthread.php?t=48558

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources

tsher1978 wrote:

>
> Hi, is it possible to have 2 user sources for Access Manager? I have
> read a Novell document that says you can but not how to do it. I want
> to have an edirectory and active directory user sources as we have
> some users in AD that are not in EDirectory to access sites via Access
> Manager.


You can, but as alex says, ensure the users are unique across both user
stores. Lets say if a user called 'edward' exists in both eDir and AD
and AD is configured as the first user store. The user 'edward' in eDir
will then never be able to login as its always found first in AD.

Additionally, keep in mind that Identity Injection policies might use
specific attributes that only exists within one of the 2 user stores so
you might end up with a bit of a headache there.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources


edmaa;233761 Wrote:
> tsher1978 wrote:
>
> >
> > Hi, is it possible to have 2 user sources for Access Manager? I have
> > read a Novell document that says you can but not how to do it. I

> want
> > to have an edirectory and active directory user sources as we have
> > some users in AD that are not in EDirectory to access sites via

> Access
> > Manager.

>
> You can, but as alex says, ensure the users are unique across both user
> stores. Lets say if a user called 'edward' exists in both eDir and AD
> and AD is configured as the first user store. The user 'edward' in eDir
> will then never be able to login as its always found first in AD.
>
> Additionally, keep in mind that Identity Injection policies might use
> specific attributes that only exists within one of the 2 user stores so
> you might end up with a bit of a headache there.
>
> --
> Cheers,
> Edward


Doesn't NAM try "one" first and then the other? So if you have same
userid in Edir and AD, but you're "migrating" to AD, you can have it
search eDir first, or something?


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=48558

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources

kjhurni wrote:


> Doesn't NAM try "one" first and then the other?


https://www.netiq.com/documentation/netiqaccessmanager32/identityserverh
elp/data/userstoreslist.html#bcoakvf

"It is assumed that each LDAP directory contains different users. You
should ensure that the users have unique names across all LDAP
directories. If both directories contain a user with an identical name,
the name and password information discovered in the search of the first
directory is always used for authentication. You specify the search
order when configuring the authentication method."




--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources


Hi,

Thanks to both of you for replying. I have managed to implement it. I
have taken onboard the comments about duplicate users etc..

Thanks,


--
tsher1978
------------------------------------------------------------------------
tsher1978's Profile: https://forums.netiq.com/member.php?userid=297
View this thread: https://forums.netiq.com/showthread.php?t=48558

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources


edmaa;233829 Wrote:
> kjhurni wrote:
>
>
> > Doesn't NAM try "one" first and then the other?

>
> http://tinyurl.com/orxyz2g
> elp/data/userstoreslist.html#bcoakvf
>
> "It is assumed that each LDAP directory contains different users. You
> should ensure that the users have unique names across all LDAP
> directories. If both directories contain a user with an identical name,
> the name and password information discovered in the search of the first
> directory is always used for authentication. You specify the search
> order when configuring the authentication method."
>
>
>
>
> --
> Cheers,
> Edward


That's what I thought, so it could work with duplicate names, you just
have to be careful and I'm sure there's some overhead/optimization
involved.

Or I suppose if you really wanted to confuse your users, you can create
two auth cards (click here for AD, click here for eDir) or something.

As always, thanks Ed!


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=48558

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources

kjhurni wrote:

>
> edmaa;233829 Wrote:
> > kjhurni wrote:
> >
> >
> > > Doesn't NAM try "one" first and then the other?

> >
> > http://tinyurl.com/orxyz2g
> > elp/data/userstoreslist.html#bcoakvf
> >
> > "It is assumed that each LDAP directory contains different users.
> > You should ensure that the users have unique names across all LDAP
> > directories. If both directories contain a user with an identical
> > name, the name and password information discovered in the search of
> > the first directory is always used for authentication. You specify
> > the search order when configuring the authentication method."
> >
> >
> >
> >
> > --
> > Cheers,
> > Edward

>
> That's what I thought, so it could work with duplicate names, you just
> have to be careful and I'm sure there's some overhead/optimization
> involved.


Uh? It won't work with duplicate names. First match is always taken...

> Or I suppose if you really wanted to confuse your users, you can
> create two auth cards (click here for AD, click here for eDir) or
> something.


Yeah, but how many organisations really use the default login page?
Ours are heavily customised and we don't display the auth cards, mainly
so users can't hurt themselves 🙂


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Access Manager v3.1 SP5 2 User Sources


edmaa;233876 Wrote:
> kjhurni wrote:
>
> >
> > edmaa;233829 Wrote:
> > > kjhurni wrote:
> > >
> > >
> > > > Doesn't NAM try "one" first and then the other?
> > >
> > > http://tinyurl.com/orxyz2g
> > > elp/data/userstoreslist.html#bcoakvf
> > >
> > > "It is assumed that each LDAP directory contains different users.
> > > You should ensure that the users have unique names across all LDAP
> > > directories. If both directories contain a user with an identical
> > > name, the name and password information discovered in the search of
> > > the first directory is always used for authentication. You specify
> > > the search order when configuring the authentication method."
> > >
> > >
> > >
> > >
> > > --
> > > Cheers,
> > > Edward

> >
> > That's what I thought, so it could work with duplicate names, you

> just
> > have to be careful and I'm sure there's some overhead/optimization
> > involved.

>
> Uh? It won't work with duplicate names. First match is always taken...
>
> > Or I suppose if you really wanted to confuse your users, you can
> > create two auth cards (click here for AD, click here for eDir) or
> > something.

>
> Yeah, but how many organisations really use the default login page?
> Ours are heavily customised and we don't display the auth cards, mainly
> so users can't hurt themselves 🙂
>
>
> --
> Cheers,
> Edward


For duplicates it would/could work IF you had the one entry first. Just
like in ZCM if you add 2 users sources, it takes whichever matches
first.
Of course, that ASSUMES that the duplicates ARE the same user (ie,
you're migrating say ,from eDir to AD, and then at some point "new"
users only get added into AD or something).

Even without auth cards, just create a new method or something for a
customized login page. Have one use Kerberos/AD and the other use edir
or something.

"Click here to login BLAH"

We do that for some of our apps/stuff as they point to 2 different user
sources.

But everyone's environment is different.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=48558

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.