Anonymous_User Absent Member.
Absent Member.
171 views

Kerberos Login / Roles in eDirectory.


Hi All,

NAM: 3.2.1

I'm trying to offer desktop sso, using a AD kerberos login contract,
whilst sending roles which are based off an eDirectory instance.

In more confusing detail :), I have a policy to activate a role, based
off group memberships in our eDirectory instance. If you have the
specific group membership, activate role ADMIN etc. I can offer a
username / password login, using the same eDirectory instance, and the
roles are applied successfully as expected.

I would like to however, provide a desktop sso / kerberos option, whilst
still having the option of sending the role, using the same group
memberships in our eDirectory instance.

Is this possible? Is there any documentation which you can link to?

Thanks in advance, and sorry for the confusing question as I'm still
trying to get my head around it all...


--
gbatty1
------------------------------------------------------------------------
gbatty1's Profile: https://forums.netiq.com/member.php?userid=2072
View this thread: https://forums.netiq.com/showthread.php?t=49815

0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos Login / Roles in eDirectory.

gbatty1 <gbatty1@no-mx.forums.netiq.com> wrote:
>
> I'm trying to offer desktop sso, using a AD kerberos login contract,
> whilst sending roles which are based off an eDirectory instance.
>
> In more confusing detail :), I have a policy to activate a role, based
> off group memberships in our eDirectory instance. If you have the
> specific group membership, activate role ADMIN etc. I can offer a
> username / password login, using the same eDirectory instance, and the
> roles are applied successfully as expected.
>
> I would like to however, provide a desktop sso / kerberos option, whilst
> still having the option of sending the role, using the same group
> memberships in our eDirectory instance.
>
> Is this possible? Is there any documentation which you can link to?
>
> Thanks in advance, and sorry for the confusing question as I'm still
> trying to get my head around it all...
>


Do you gave any way to synchronise the AD UPN and password to eDirectory
(IDM for example)?

If so you can configure NAM Kerberos to auth against eDirectory this is
explained in a cool solution (don't have link handy)

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos Login / Roles in eDirectory.

gbatty1 wrote:

>
> Hi All,
>
> NAM: 3.2.1
>
> I'm trying to offer desktop sso, using a AD kerberos login contract,
> whilst sending roles which are based off an eDirectory instance.
>
> In more confusing detail :), I have a policy to activate a role, based
> off group memberships in our eDirectory instance. If you have the
> specific group membership, activate role ADMIN etc. I can offer a
> username / password login, using the same eDirectory instance, and the
> roles are applied successfully as expected.
>
> I would like to however, provide a desktop sso / kerberos option,
> whilst still having the option of sending the role, using the same
> group memberships in our eDirectory instance.
>
> Is this possible? Is there any documentation which you can link to?
>
> Thanks in advance, and sorry for the confusing question as I'm still
> trying to get my head around it all...


Yep, we do that. As Alex pointed out, you'd need the UPN from the
kerberos ticket stored as an attribute inside eDir. You can configure
what attribute to look for on the kebreros class. IDM is your friend 🙂

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos Login / Roles in eDirectory.


Thank you both. Your posts pointed me in the right direction and we have
resolved the issues.

Thanks again for your quick responses,
G


--
gbatty1
------------------------------------------------------------------------
gbatty1's Profile: https://forums.netiq.com/member.php?userid=2072
View this thread: https://forums.netiq.com/showthread.php?t=49815

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.