Infrastructure Manager & UMP - Notes on using LDAP/AD for Authentication (screenName OR email address)

Document ID : KB000035074
Last Modified Date : 24/10/2018
Show Technical Document Details
Introduction:

Background:

Using screenName versus emailAddress for authentication to Infrastructure Manager and UMP. Information on using specific LDAP attributes is also included.
 
 
Environment:
UIM/UMP 7.x - 8.x
 
 
IMPORTANT: UMP does not currently support mixed use of both screen name and email address for authentication. You must use one or the other.
 

Instructions:

How to use specific LDAP attributes for Authentication to Infrastructure Manager and UMP - including how to control login type/format (short name/screenName versus emailAddress or vice versa)

After hub v5.69, the hub was changed so that the filter_user key (edited through raw configuration) contains a dynamic value for $loginname. This was previously hard-coded at: userPrincipleName=$loginname, now, $attr_usr_id=$loginname.

Therefore, the attr_usr_id (also modified through Raw Configuration) can be modified to any desired Active Directory attribute.

This would then translate to the AD attribute users would use for authentication when logging in to the hub (or UMP).

 

To configure UIM to use a specific Active Directory attribute the user must configure the hub LDAP settings.

 

 User-added image

 

LDAP can be configured to use standard LDAP port 389, SSL 636, or the Global Catalog port 3269.


Selecting the “Use SSL” check box, the default LDAP SSL port of 636 is used, or the user can specify the port.  Example: Server Name:  AD.domain.com:636
 
Once that setting has been applied, the hub will need to restart to reload the new configuration.  After the restart, the user will need to login as administrator and use the Raw Configure option to complete the customization.


Open the hub probe in Raw Configure mode and set the attr_usr_id key to the desired Active Directory attribute.

  • attr_usr_id = <AD User Attribute>   ie. userPrincipalName, mail, displayName

User-added image

 

Verify that the filter user query is using the attr_usr_id variable.

  • filter_user = (&(objectClass=person)(|($attr_usr_id=$loginname)(sAMAccountName=$loginname)))

 

User-added image

 

Once the OK button is clicked, the hub will automatically restart and UIM will be configured to use the new Active Directory attribute for login.

 

I. Configuring Active Directory integration in the hub probe so that customers can login with short name (screen name) for both Infrastructure Manager and UMP:

 

Using screen name for login

First, to configure UMP to use 'screen name' for login, please follow the steps below:

This allows users to authenticate to both the Infrastructure Manager as well as UMP if UMP has been configured to use screen name for login.

 

UMP

This procedure gives you the choice of the login type you wish to use for UMP. Note also that customers/installations usually have UMP configured to use screenName already.  Follow the steps below to change login type from emailAddress to screenName.

1. Deactivate wasp

2. Change the company.security.auth.type variable in C:\Program Files\Nimsoft\probes\service\wasp\webapps\ROOT\WEB-INF\classes\portal-ext.properties

    From:

       company.security.auth.type=emailAddress

    To:

       company.security.auth.type=screenName

 

3. Check the contents of rows in the portletpreferences table using this query:

 

select * from portletpreferences where portletId='LIFERAY_PORTAL';

 

If the preferences column contains anything other than <portlet-preferences /> continue with step 4, otherwise continue with step 5.

 

4. Delete all of the rows from the table using this SQL statement:

delete from PortletPreferences where portletId='LIFERAY_PORTAL';

 

5. Activate wasp

 

hub configuration

Now, open the hub probe Raw Configure by selecting the hub probe and holding down the SHIFT key and rt-click to select Raw Configure and:

Find the key-value pair under the ldap->templates->Active Directory section

 

format = $username@$domain

and change it to->

format = $username

 

Now try to login to both IM and UMP using the ‘short’ user name (screen name) to validate that its working as expected. Check the hub.log at loglevel 5 if there are any issues.

 

II. Configuring Active Directory integration in the hub probe so that customers can login with email address for both Infrastructure Manager and UMP:

 

Using email address for login:

1. Open the hub probe in Raw Configure mode and add or change the existing 'out of the box' defaults for the following settings to:

 

filter_user=(&(objectClass=person)(|(userPrincipalName=$loginname)(mail=loginname)(sAMAccountName=$loginname)))

format=$username

 

2. Deactivate the wasp probe

 

3. Edit the UMP portal-ext.properties file

<UIM_Install_Dir>\probes\service\wasp\webapps\ROOT\WEB-INF\classes\portal-ext.properties

-> Change the value of the parameter company.security.auth.type=screenName to company.security.auth.type=emailAddress

 

4. Remove all instances of the screenName parameter from the portalpreferences table in the UIM backend database

Run the following query:

select * from portalpreferences where preferences like ‘%screenName%’

If there are no rows in the preferences column that contain the screenName parameter, go to step 5 below.

 

Issue the following command to delete all rows that contain screenName from the table:

delete from portalpreferences where preferences like ‘%screenName%’

 

5. Activate wasp

Now try to login to both IM and UMP using the ‘short’ user name (screen name) to validate that its working as expected. Check the hub.log at loglevel 5 if there are any issues.

 

 

 

Instructions:
Please Update This Required Field
File Attachments:
TEC000003853.zip