Clarity

Hi, we are now integrating with LDAP.we are using clarity 7.5.2 Fixpack 02.we have configured LDAP in NSA.we are just using for Authentication From LDAP no Authorization withAccess rights.we just want to get authenticated from LDAP and log in to clarity.The access rights will be controlled in Clarity itself.So we are not using the 2 LDAP Jobs.We are able to log in using LDAP userid / pwd,but the issue we are facing is even though the user is configured in LDAP and if the LDAP user wrongly type the password for more than 3 times then it get locked in Clarity.It should'nt do so becuase the user is choosen External authentication and in cmn_sec_users the IS_LDAP field is set to 1.Why here alsoit is validating in Clarity Database.What is wrong.we want the authorization to be happen only in LDAP not in clarity.Will any body help us in solving the issue.

Hi, Perhaps i need to explain in detail.  We are now planning to integrating with LDAP.we are using clarity 7.5.2 Fix pack 02.we have configured LDAP in NSA.we are facing one issue in our development server.   we are just using for Authentication From LDAP no Authorization with Access rights.we just want to get authenticated from LDAP and log in to clarity. We are able to log in using LDAP userid / pwd,but the issue we are facing is even though the user is configured in LDAP and if the LDAP user wrongly type the password for more than 3 times then it get locked in Clarity.It should'nt do so because the user is choosen External authentication and in cmn_sec_users the IS_LDAP field is set to 1.   I will explain the scenario in detail..   Besides Clarity we are using Peoplesoft as our ERP.All the users are first created in people soft then it will comes to clarity.The authentication for peoplesoft is done via LDAP. So all our users already exists in LDAP also.The first_name,Last_name, Email of the users will be updated in Clarity through a batch process from our ERP Peoplesoft.So we presumed that we don’t need The LDAP Jobs to do any thing,we simply need an authentication done via LDAP.We also want Non LDAP users such as Admin to use clariy,so we selected “Allow Non LDAP Users”  in NSA.   After setting up in NSA the LDAP settings,we liased with our LDAP Administrator for config.After that we tested for some users and found that we are able to log in.Then when I tried logging using the Wrong pwd 3 times it get Locked in Clarity.We are surprised because that should be done in LDAP not in clarity.In the DB we find that IS_LDAP=1 for my user id.Then why it is locking in clarity.   I have enclosed the properties.xml File for your reference and also a snapshot of LDAP user setup in Application Instance and cmn_sec_users table data for an LDAP resource.we want to do the authentication only. I don’t know what went wrong, may be we have missed some thing.Pls help us to solve this pbm..   Regards,  J.sundar     

Hi Sundar,Iam not sure of 7.5.2 version of Clarity, but when I used 7.5.3 version with LDAP enabled Clarity account does not get locked if user enter invalid password even for 5 times. In Clarity admin tool, Under Admin Tool->System options->Session Options, What value is set for Invalid Login limit? -Siva

Hi siva, Thnks for your reply.we have set the Invalid Login limit to 3.i can set it to 0 so that it does not get locked in clarity.But my question why it is checking in clarity DB.we don't to be validated both in LDAP and clarity. Regards,j.sundar

Educate me please, Is the LDAP sync really supposed to be doing the the authenthication in Clarity? or just to bring the userID and related data into Clarity so that without SSO the authenthication will always be in Clarity? Martti K.

 Martti. The LDAP is supposed to do the authentication in Clarity. Regards.J.sundar [left][left]

Thanks, but sorry to say I am hard to learn.The admin guide says  Enabling LDAP and Single Sign-on  If your users use several applications, it can be beneficial to implement a Lightweight Directory Access Protocol (LDAP) interface to authorize user access across all the applications. Instead of storing user access information separately for each application, a central directory server controls access so that users can have one username and password for all applications.  Clarity supports the LDAP v2 protocol (simple) protocol and uses a small subset of LDAP functionality including authentication (clear text or SSL), binding, and searching. Session-based cookies carry a token that is used to access session data and is persisted in the cache for single application environments or in a database for clustered environments. The user's web browser must accept cookies from the Clarity application, which are session-based, so they are never written to disk. When the user logs out, session information in the database and cache that correspond to the cookie are deleted.Clarity’s LDAP Synchronize New and Changed Users job synchronizes LDAP entries. It then stores the last date and time the job ran successfully and stores information in the MN_DIRECTORY_SERVERS database table. The next time the background job runs, it synchronizes only recently-created or changed user entries where the timestamp is greater than the value found in the CMN_DIRECTORY_SERVERS.LAST_SYNC_DATE property. Clarity does not check whether a user found in a Clarity group or in a search specified in the NSA is active or inactive in LDAP. Clarity checks only whether a user is present in a Clarity group or whether an attribute being searched for is present in Clarity.  Clarity does not recognize nested Clarity groups. Before running LDAP synchronization jobs, ensure that users are associated with Clarity groups that the NSA search can find. Users in nested Clarity groups will not be checked when the LDAP synchronization jobs are run. If a user is deactivated on the LDAP server, the next time the synchronization job runs the user is deactivated in Clarity. If the user is re-activated on the LDAP server the user will not be re-activated in Clarity; you will need to re-activate the resource  and   Implementing Single Sign-on (SSO)  Single sign-on (SSO) allows users access multiple systems using a single username and password. Once the server uses information that is stored in the LDAP directory to authenticate a user's identity, it allows access to  the user's access privileges.     Comparing the last sentense in the first paragraph and the SSO paragraph sounds to me a lot like: LDAP sync is not SSO but just storing ID's and password and not doing the authentication.     Am I missing something or just hard to learn.     Martti K.

Dear Martti,     I will summarize what we have done.     1. We want to use LDAP for only Authentication for username / pwd.  2. We are not using the 2 LDAP Jobs since all users exists in LDAP is existing in our clarity environment.we don't want to update the      user credentials or create the user based on LDAP as we are integrated with Peoplesoft ERP which is master database for resources all    users will be there,so we just to want to check the username / pwd validation via LDAP.  3. we have done the settings in NSA.(i have enclosed the NSA settings via attachment in my earlier message).  4. We have set the Bad session login count=3 in Clarity Admin the same as LDAP.  5. We want to handle NON Ldap Users also (Admin,etc).So selected Non Ldap Users in NSA.     During our testing we found that it works well except one condition it got failed.When we wrongly types an pwd 3 times in clarity it get locked in LDAP and also in clarity.So even though we released the lock in LDAP still user is not able to log in to clarity after entering the correct password because in clarity it has locked the user.So we need to activate the user in clarity and then it allows to log in to clarity.     So from i understand that --->  All Clarity do is read from the LDAP server to see if the username and password are correct.  Clarity does not actually log the user in on the LDAP side.  It just read from the LDAP server to see if their credentials (username and password) are correct or not. If they are correct, and the user exists in Clarity, is active and not locked out, the user is allowed in with the rights associated to that userid.   Is my understanding correct?Is the way the product behaves?   So the only way to handle this since we need to implement LDAP Authentication is set bad login count=0 in LDAP and progress it.What is your suggestion?   Regards,  Sundar

Sorry to say that is above my knowledge.You do not have to run the LDAP jobs of syncing ID's and passwords and deleting obsos if you maintain the situation manually. If you say authetintication works wihtout logging into Clairty, I take you word for it.I am wondering why, you have SSO setting as false and the URLs for logout and error are no good. Apparently you do not use them in loggging in and getting authenthicated.But then you say if log in three with wrong password or sumpng you get locked out. The lock persist in Clarity even if it is released in LDAP. That is something I would expect to be handled by the synchronizing job (the next time it is run). If the job is not run then you would have to fix it manually, the same as you do with ID's and passwords. I'd rather try the same bad log in count in Clarity as in LDAP or 0 in Clarity. Martti K.

Dear Martti, Thnks for pointing out sso part.Have removed the URLS.we now have set the bad login count=0 and tested for few users.For tracing the error i set the debugger Mode for Com.niku.security and found the logs an eloborate one.i have also enclosed the Logs.Still one issue which worries me is if an user tries to log using the wrong pwd for 3 times it get's locked in LDAP (in LDAP it is 3) but when tries to log for the next time also clarity will still show the same error CMN-01002: User name and password invalid. Note that the password is case-sensitive. instead of "your account is Locked", but since we have set the the bad login count=0 and the user is active in clarity it is showing the above mentioned error.Any way to handle this? Regards,J.sundar Message Edited by sundar on 09-01-2008 08:55 AM [left]

Not really.You could go to the error messages and append this error message with .. or you account is locked. at the end. Martti K.

Hi,  which table or lookup has this Error descriptions shown in the Login page Regards,sundar

Try ..\Clarity\resource\messages_en.propetiesunder # securityFor modifications you need approval from CA. Martti K.

Please note if you change this message it will also be applicable for non LDAP resouces, when they enter wrong password.

Thanks,
-Naman.

Hi, iam trying that in our dev server.But even though i changed the specific message in messages_en.properties and restarted the app,the same message is displaying not the modified one.iam i missing some thing here? sundar

I think about tens posts ago I wrote that this is beyond my expertise.If restarting the services does not do it then the next thing to look is the server and browser caches. Yes definitely if you change the message and get it displayed somewhere, you will get the modified message everywhere you would normally get the standard message. Martti K.

Martti,  Thnks a Ton.Able to do it.

Sundar, I think this is the way Clarity should behave. Because that user is not locked in Clarity. User is active in clarity and LDAP dont tell clarity that user is locked in LDAP side. LDAP just rejects user when it is locked. So clarity will show that username or password is invalid. Please confirm it works fine after user is unlocked in LDAP. Thanks,-Naman.