Some LDAP servers are set up to allow initial connection
to the LDAP server or an anonymous bind.
An LDAP server that is set up to allow anonymous bind is
open to the world. Anyone can connect to the LDAP server and search.
It is like a building with its front doors unlocked. Anyone can
walk in and look for a name from the directory in the lobby. In this
example, even though the building is open, the individual offices
might not be open. The individual offices are analogous to the entries
in the LDAP server.
After a record is found, you might need to supply
a password to access the information in that record (analogous to
a key for a locked office). An example of an LDAP server that allows
the anonymous bind is a company's intranet server. With this type
of open LDAP server, the only logon information that an employee of
that company would need is a user ID and password.
The anonymous
bind LDAP authentication process:
- Connect to the LDAP server (called initial bind) without a user
ID or password.
- If the initial bind is successful, search for an entry under the
bind attribute name that is specified in ARS_LDAP_BIND_ATTRIBUTE at
the location specified by ARS_LDAP_BASE_DN.
- If an entry is found, perform a second bind (logon) to it by using
the user ID and password that was entered into the Content Manager OnDemand logon panel.
If the second bind is successful, locate the value under the mapped
attribute name that is specified in ARS_LDAP_MAPPED_ATTRIBUTE.
- If the value is found, return it to Content Manager OnDemand.
Configuring OnDemand with the anonymous bind set to
true:
- The user types the user ID and password in the Logon
to a Server panel of the Content Manager OnDemand client.
- The user ID and password are sent to the Content Manager OnDemand server to be
authenticated.
- The Content Manager OnDemand LDAP
authentication component connects to the LDAP server. If the LDAP
server is down or cannot be reached, the flow is based on the setting
of ARS_LDAP_OD_AUTHORITY_FALLBACK.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=FALSE (default)
then the logon fails.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE, then
the logon reverts back to the Content Manager OnDemand logon and continues.
- The Content Manager OnDemand LDAP
authentication component searches the LDAP server for the user ID
that is under the attribute name specified in the ARS_LDAP_BIND_ATTRIBUTE configuration
parameter.
Remember: The user ID can be an e-mail address.
If the attribute name does not exist on the LDAP server, the logon
to the Content Manager OnDemand server
fails.
- If the attribute name is correct but the user ID does not exist
on the LDAP server, then the flow is based on the setting of ARS_LDAP_OD_AUTHORITY_FALLBACK.
- If the user ID exists on the LDAP server and the password is wrong,
the logon to the Content Manager OnDemand server
fails.
- If the user ID exists on the LDAP server and the password is correct,
the LDAP server returns a value to the Content Manager OnDemand server.
- You tell the LDAP server what to return by setting the value
on the configuration parameter ARS_LDAP_MAPPED_ATTRIBUTE to
an attribute or field name that is known to the LDAP server. If this
attribute name does not exist on the LDAP server, the logon to the Content Manager OnDemand server fails.
- If the attribute name is correct, a value is returned. For example,
if the ID that is entered on the Content Manager OnDemand logon screen
is J12345, ARS_LDAP_MAPPED_ATTRIBUTE is set to
odid, and the J12345 attribute odid is jasson1, then jasson1 is returned.
- If the returned value matches a user ID that is stored in the Content Manager OnDemand server database,
the user logs on. Otherwise, the logon fails. The Content Manager OnDemand password is
not checked if the LDAP authentication is successful.
Remember: If the user ID and password case sensitivity
is disabled (the default), the user ID and password are converted
to uppercase before they are sent to the LDAP server. The returned
user ID string from the LDAP server is then converted to uppercase
and compared with the user IDs that are stored in the database.
If
the Content Manager OnDemand user
ID and password sensitivity is enabled, and the IDs that are stored
in the Content Manager OnDemand database
are in uppercase (for example, as a result of case insensitivity in
the past), the ID that is returned by LDAP must be in uppercase otherwise
the logon fails.