jameswatson3 Absent Member.
Absent Member.
515 views

Change from AD-RDBMS Mode to AD-Schema Mode Supported?


Because certain functions of the client login extensions do not work in
AD-RDBMS mode, we're considering switching to AD-Schema mode.

First of all, is this supported/recommended at all or would a
rip/replace be best practice? Our install so far is pilot stage so no
worries about data transition. I would be nice to avoid the extra work
though.

Second, if supported is the process simply a matter of extending schema
and assigning rights as documented then reverting the settings in
Settings | Database (Remote) to defaults?


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53909

0 Likes
4 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: Change from AD-RDBMS Mode to AD-Schema Mode Supported?


jameswatson3;259086 Wrote:
> Because certain functions of the client login extensions do not work in
> AD-RDBMS mode, we're considering switching to AD-Schema mode.
>
> First of all, is this supported/recommended at all or would a
> rip/replace be best practice? Our install so far is pilot stage so no
> worries about data transition. I would be nice to avoid the extra work
> though.
>
> Second, if supported is the process simply a matter of extending schema
> and assigning rights as documented then reverting the settings in
> Settings | Database (Remote) to defaults?


1. In general, CLE shouldn't be able to tell if SSPR is using an RDBMS
or not. What functions are you referring to?

2. SSPR doesn't really have an RDBMS or schema "mode" per se. There are
several settings in SSPR where you can choose to store persistent data
in one or the other. What your probably thinking of is the setting
during the configuration guide, which really only changes the
challenge/response read and write storage settings. You can change
those to LDAP and/or RDBMS at any time.

3. Yes, extend the schema and configure rights as described, but you
won't have to clear the settings -> database section unless you want to
disable SSPR using RDBMS alltogether. You probably just want to change
the challenge/response read and write storage settings.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=53909

0 Likes
jameswatson3 Absent Member.
Absent Member.

Re: Change from AD-RDBMS Mode to AD-Schema Mode Supported?


jrivard;259095 Wrote:
> In general, CLE shouldn't be able to tell if SSPR is using an RDBMS or
> not. What functions are you referring to?


Apparently there is an issue with CLE 3.8.HF1 where the wrong domain
name is used so no login is possible if "SSPR Configurations" is enabled
in the CLE config utility. If you have access, you can see the details
in SR#10954700464 which acknowledged the issue and encouraged me to to
wait for the CLE that ships with SSPR 3.3.

But not that you mention it, it does make me wonder if the issue is just
CLE itself and not anything to do with RDBMS/Schema at all. Support did
not inquire about this at all but now I'm wondering.


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53909

0 Likes
jameswatson3 Absent Member.
Absent Member.

Re: Change from AD-RDBMS Mode to AD-Schema Mode Supported?


jrivard;259095 Wrote:
> you won't have to clear the settings -> database section unless you want
> to disable SSPR using RDBMS alltogether. You probably just want to
> change the challenge/response read and write storage settings.


I don't recall anything in the documentation about which configurations
are stored in which locations. I found the challenge/response read/write
settings you describe and changed that to LDAP. Now I can see that the
pwnUser objectClass is added to my test users. I also cleared all
settings from Settings -> Database, however I don't understand the
implications of this.

Is this covered in the documenation? I did not see it but may have
missed it.


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=53909

0 Likes
Knowledge Partner
Knowledge Partner

Re: Change from AD-RDBMS Mode to AD-Schema Mode Supported?


jameswatson3;259106 Wrote:
> I don't recall anything in the documentation about which configurations
> are stored in which locations. I found the challenge/response read/write
> settings you describe and changed that to LDAP. Now I can see that the
> pwnUser objectClass is added to my test users. I also cleared all
> settings from Settings -> Database, however I don't understand the
> implications of this.
>
> Is this covered in the documenation? I did not see it but may have
> missed it.


I could be wrong, but:
At least in an eDir implementation, if you were using the SSPR
challenge/pass requests, those were SSPR defined ones and written to the
database. If you then switched/changed to eDir via LDAP and using NMAS,
then users would have to re-answer/setup their challenge/response info.

But I don't know about AD and I don't know if this is still true, or
applies to your scenario.
--Kevin


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=53909

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.