Content Manager OnDemand logon with the LDAP authentication and anonymous binding
Some LDAP servers are set up to allow initial connection to the LDAP server or an anonymous bind.
After a record is found, you might need to supply a password to access the information in that record (analogous to a key for a locked office). An example of an LDAP server that allows the anonymous bind is a company's intranet server. With this type of open LDAP server, the only logon information that an employee of that company would need is a user ID and password.
- Connect to the LDAP server (called initial bind) without a user ID or password.
- If the initial bind is successful, search for an entry under the bind attribute name that is specified in ARS_LDAP_BIND_ATTRIBUTE at the location specified by ARS_LDAP_BASE_DN.
- If an entry is found, perform a second bind (logon) to it by using the user ID and password that was entered into the Content Manager OnDemand logon panel. If the second bind is successful, locate the value under the mapped attribute name that is specified in ARS_LDAP_MAPPED_ATTRIBUTE.
- If the value is found, return it to Content Manager OnDemand.
Configuring OnDemand with the anonymous bind set to true:
- The user types the user ID and password in the Logon to a Server panel of the Content Manager OnDemand client.
- The user ID and password are sent to the Content Manager OnDemand server to be authenticated.
- The Content Manager OnDemand LDAP authentication
component connects to the LDAP server. If the LDAP server is down
or cannot be reached, the flow is based on the setting of ARS_LDAP_OD_AUTHORITY_FALLBACK.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=FALSE (default) then the logon fails.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE, then the logon reverts back to the Content Manager OnDemand logon and continues.
- The Content Manager OnDemand LDAP authentication
component searches the LDAP server for the user ID that is under the
attribute name specified in the ARS_LDAP_BIND_ATTRIBUTE configuration
parameter. Remember: The user ID can be an e-mail address. If the attribute name does not exist on the LDAP server, the logon to the Content Manager OnDemand server fails.
- If the attribute name is correct but the user ID does not exist on the LDAP server, then the flow is based on the setting of ARS_LDAP_OD_AUTHORITY_FALLBACK.
- If the user ID exists on the LDAP server and the password is wrong, the logon to the Content Manager OnDemand server fails.
- If the user ID exists on the LDAP server and the password is correct, the LDAP server returns a value to the Content Manager OnDemand server.
- You tell the LDAP server what to return by setting the value
on the configuration parameter ARS_LDAP_MAPPED_ATTRIBUTE to
an attribute or field name that is known to the LDAP server. If this
attribute name does not exist on the LDAP server, the logon to the Content Manager OnDemand server fails.
- If the attribute name is correct, a value is returned. For example, if the ID that is entered on the Content Manager OnDemand logon screen is J12345, ARS_LDAP_MAPPED_ATTRIBUTE is set to odid, and the J12345 attribute odid is jasson1, then jasson1 is returned.
- If the returned value matches a user ID that is stored in the Content Manager OnDemand server database, the user logs on. Otherwise, the logon fails. The Content Manager OnDemand password is not checked if the LDAP authentication is successful.
If the Content Manager OnDemand user ID and password sensitivity is enabled, and the IDs that are stored in the Content Manager OnDemand database are in uppercase (for example, as a result of case insensitivity in the past), the ID that is returned by LDAP must be in uppercase otherwise the logon fails.