Some LDAP servers are set up to allow initial connection
to the LDAP server or a non-anonymous bind.
In
OnDemand logon with the LDAP authentication and anonymous binding, the term "anonymous bind"
was used. An LDAP server can also be set up to disallow the "anonymous
bind", or to allow only the "non-anonymous bind." The Microsoft® Windows®
Active Directory® (AD) server can only be set up using "non-anonymous
bind.". When an LDAP server is set up this way, it is not "open" to
the world. It is like a locked building that requires a key or badge
to enter. In this example, the individual offices might or might not
be locked. The individual offices are analogous to the entries in
the LDAP server.
There are essentially two logons to an LDAP server
that disallows the "anonymous bind" during the LDAP authentication
process. The first logon (the initial bind) is required to gain connection
to the LDAP server, and the second logon (the bind) is required to
gain access to the entry or the record.
To connect to this type
of LDAP server, you must supply a valid user ID and password at the
initial bind time. It is like entering a locked building that requires
a key or badge to enter. The initial bind ID and password are stored
in the LDAP configuration under the parameters ARS_LDAP_BIND_DN and ARS_LDAP_BIND_DN_PWD,
and are not entered by the user at logon time. When you are connected,
you can perform the search. When you find a record, you might need
to supply a password to access the record's information.
Starting with Content Manager OnDemand V9.0,
both parameters, ARS_LDAP_BIND_DN and ARS_LDAP_BIND_DN_PWD were
moved to the instance stash file and were no longer specified in ars.cfg on
Unix or under the Windows registry on Windows. If ARS_LDAP_ALLOW_ANONYMOUS is
set to FALSE, both parameters must exist in the instance stash file
or the LDAP authentication fails. On Windows, use the Content Manager OnDemand Configurator to enter or
change those parameter values. On Unix, use the arsstash command
to enter the values for ARS_LDAP_BIND_DN and ARS_LDAP_BIND_DN_PWD parameters.
You can also use the arsstash command on Windows
to enter values for those parameters.
The non-anonymous bind
LDAP authentication process:
- Connect to the LDAP server (called initial bind) with a user ID
and password that are specified under the parameters ARS_LDAP_BIND_DN and ARS_LDAP_BIND_DN_PW.
- If the initial bind is successful, search for an entry under the
bind attribute name that is specified in ARS_LDAP_BIND_ATTRIBUTE at
the location specified by ARS_LDAP_BASE_DN.
- If an entry is found, perform a second bind (logon) to it using
the user ID and password entered into the Content Manager OnDemand logon panel.
- If the second bind is successful, locate the value under the mapped
attribute name that is specified in ARS_LDAP_MAPPED_ATTRIBUTE.
- If a value is found, return it to Content Manager OnDemand.
Configuring Content Manager OnDemand with
the non-anonymous bind set to false:
- The user types the user ID and password in the Logon
to a Server panel of the Content Manager OnDemand client.
- The user ID and password are sent to the Content Manager OnDemand server to be authenticated.
- The Content Manager OnDemand LDAP authentication
component connects to the LDAP server. If the LDAP server is down
or cannot be reached, the flow is based on the setting of ARS_LDAP_OD_AUTHORITY_FALLBACK.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=FALSE (default)
then the logon fails.
- If ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE, then
the logon reverts back to the Content Manager OnDemand logon
and continues.
- If the LDAP server can be reached, the Content Manager OnDemand LDAP authentication component
connects to the LDAP server with the LDAP user ID and password that
are specified in the ARS_LDAP_BIND_DN and ARS_LDAP_BIND_DN_PWD parameters.
- If the user ID and password are valid, the connection is established.
Depending on the LDAP server setup, this user ID might need to have
some administrative authority.
- For the Windows™ Active
Directory server, the default is that any valid user ID that is a
member of the domain can be used in this initial logon to the LDAP
server.
- This is the first logon. If this logon fails, the logon to the Content Manager OnDemand server fails.
- After the connection is made, the Content Manager OnDemand LDAP authentication component
searches the LDAP server for the user ID that is under the attribute
name specified in the ARS_LDAP_BIND_ATTRIBUTE configuration
parameter.
Remember: The user ID can be an e-mail address.
If the attribute name does not exist on the LDAP server, the logon
to the Content Manager OnDemand server fails.
- If the attribute name that is specified in the ARS_LDAP_BIND_ATTRIBUTE parameter
is correct but the user ID does not exist on the LDAP server, then
the flow will be based on the setting of ARS_LDAP_OD_AUTHORITY_FALLBACK.
For example, if ARS_LDAP_BIND_ATTRIBUTE=mail and
the user entered jscott@us.ibm.com in the Content Manager OnDemand logon panel, but this e-mail
address does not exist on the LDAP server.
- If the user ID exists on the LDAP server and the password is wrong,
the logon to the Content Manager OnDemand server
fails.
- If the user ID exists on the LDAP server and the password is correct,
the LDAP server returns a value to the Content Manager OnDemand server.
- If the attribute name is correct, a value is returned. If the returned value matches a user ID
that is stored in the Content Manager OnDemand server database, the user logs
on. Otherwise, the logon fails. The Content Manager OnDemand password is not
checked if the LDAP authentication is successful.
Remember: If the user ID and password case sensitivity
is disabled (the default), the user ID and password are converted
to uppercase before they are sent to the LDAP server. The returned
user ID string from the LDAP server is then converted to uppercase
and compared with the user IDs that are stored in the database.
If
the Content Manager OnDemand user ID that
is stored is in uppercase, if the user ID case-sensitivity is enabled,
and if the returned user ID is in lowercase, then the logon fails.