Content Manager OnDemand logon with the LDAP authentication and anonymous binding

Some LDAP servers are set up to allow initial connection to the LDAP server or an anonymous bind.

An LDAP server that is set up to allow anonymous bind is open to the world. Anyone can connect to the LDAP server and search. It is like a building with its front doors unlocked. Anyone can walk in and look for a name from the directory in the lobby. In this example, even though the building is open, the individual offices might not be open. The individual offices are analogous to the entries in the LDAP server.

After a record is found, you might need to supply a password to access the information in that record (analogous to a key for a locked office). An example of an LDAP server that allows the anonymous bind is a company's intranet server. With this type of open LDAP server, the only logon information that an employee of that company would need is a user ID and password.

The anonymous bind LDAP authentication process:

Connect to the LDAP server (called initial bind) without a user ID or password.
If the initial bind is successful, search for an entry under the bind attribute name that is specified in ARS_LDAP_BIND_ATTRIBUTE at the location specified by ARS_LDAP_BASE_DN.
If an entry is found, perform a second bind (logon) to it by using the user ID and password that was entered into the Content Manager OnDemand logon panel. If the second bind is successful, locate the value under the mapped attribute name that is specified in ARS_LDAP_MAPPED_ATTRIBUTE.
If the value is found, return it to Content Manager OnDemand.

Configuring OnDemand with the anonymous bind set to true:

The user types the user ID and password in the Logon to a Server panel of the Content Manager OnDemand client.
The user ID and password are sent to the Content Manager OnDemand server to be authenticated.
The Content Manager OnDemand LDAP authentication component connects to the LDAP server. If the LDAP server is down or cannot be reached, the flow is based on the setting of ARS_LDAP_OD_AUTHORITY_FALLBACK.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=FALSE (default) then the logon fails.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE, then the logon reverts back to the Content Manager OnDemand logon and continues.
The Content Manager OnDemand LDAP authentication component searches the LDAP server for the user ID that is under the attribute name specified in the ARS_LDAP_BIND_ATTRIBUTE configuration parameter.
Remember: The user ID can be an e-mail address. If the attribute name does not exist on the LDAP server, the logon to the Content Manager OnDemand server fails.
- If the attribute name is correct but the user ID does not exist on the LDAP server, then the flow is based on the setting of ARS_LDAP_OD_AUTHORITY_FALLBACK.
- If the user ID exists on the LDAP server and the password is wrong, the logon to the Content Manager OnDemand server fails.
- If the user ID exists on the LDAP server and the password is correct, the LDAP server returns a value to the Content Manager OnDemand server.
You tell the LDAP server what to return by setting the value on the configuration parameter ARS_LDAP_MAPPED_ATTRIBUTE to an attribute or field name that is known to the LDAP server. If this attribute name does not exist on the LDAP server, the logon to the Content Manager OnDemand server fails.
- If the attribute name is correct, a value is returned. For example, if the ID that is entered on the Content Manager OnDemand logon screen is J12345, ARS_LDAP_MAPPED_ATTRIBUTE is set to odid, and the J12345 attribute odid is jasson1, then jasson1 is returned.
- If the returned value matches a user ID that is stored in the Content Manager OnDemand server database, the user logs on. Otherwise, the logon fails. The Content Manager OnDemand password is not checked if the LDAP authentication is successful.

Remember: If the user ID and password case sensitivity is disabled (the default), the user ID and password are converted to uppercase before they are sent to the LDAP server. The returned user ID string from the LDAP server is then converted to uppercase and compared with the user IDs that are stored in the database.

If the Content Manager OnDemand user ID and password sensitivity is enabled, and the IDs that are stored in the Content Manager OnDemand database are in uppercase (for example, as a result of case insensitivity in the past), the ID that is returned by LDAP must be in uppercase otherwise the logon fails.