Layer7 Access Management

Expand all | Collapse all

How to authenticate against multiple directories

Jump to Best Answer
  • 1.  How to authenticate against multiple directories

    Posted 07-20-2017 02:15 AM

    Hi,

     

    I have a question regarding authentication against multiple directories,

    I have 3 user directories mapped to a domain A, B and C in the same order.

    There are three users X, Y and Z present in user directory, A, B and C respectively with same user id and password.

     

    Now when the user Y access the resource, from which user directory the user Y will be authenticated against?

     

    Would really appreciate if the reply gives a more detailed explanation to the answer.

     

    Regards,

    Pankaj Sharma



  • 2.  Re: How to authenticate against multiple directories
    Best Answer

    Posted 07-21-2017 02:25 AM

    Hi Pankaj,

     

    The order of the user directory defines which directory the user is authenticated against first.

     

     

    • You can change the order by moving that up and down arrow key.
    • If the user fails authentications against one directory(store), Policy server stops processing the authentication request and returns the OnAuthReject response.(i.e user fails to authenticate)
    • If the user is authenticated but disabled in a user store, it continues searching for the user in all stores that are associated with the policy domain. The user fails authentication only if the Policy Server finds the user that is disabled in all associated user stores. This behavior however could be changed  by setting ReturnOnDisabledUser registry key to 1 . Reference :  Authentication Schemes - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Let me know if that clarifies your question.

     

    Regards,

    Ujwol



  • 3.  Re: How to authenticate against multiple directories

    Posted 07-21-2017 03:18 AM

    Hi Ujwol,

     

    My query is more towards three different users present in three different directories.

    Users X, Y and Z present in A, B and C directories respectively and all three users have user id, usr1 and password pwd11.

    The order in which the user directory is present is A, B and C in the domain.

     

    Now when a user Y, who is present in B directory tries to access the resource it will be authenticated against A user directory 1st.

    The user id with which Y has logged in is usr1 and the password is pwd11, the same user id password is present in A directory, and this user Y is not present in directory A.

     

    So how will authentication work here?

     

     

    Please let me know if I am able to explain the query properly, or else will try to re frame it accordingly.

     

    Regards,

    Pankaj Sharma



  • 4.  Re: How to authenticate against multiple directories

    Posted 07-21-2017 03:36 AM

    Hi Pankaj,

     

    If the user is found in a user store, it is authenticated against the same user directory.

     

    So, as the user id for the user Y is found in user directory A, it will be authenticated against directory A.

     

    Regards,

    Ujwol



  • 5.  Re: How to authenticate against multiple directories

    Posted 07-21-2017 04:08 AM

    Hi Ujwol,

     

    Thank you for the response

     

    I understand that Y would be authenticated against directory A, but that should not be the case as Y should only be authenticate against directory B.
    Can we rectify this behavior? Is there any we we can implement this solution so that user Y always authenticate against directory B?

     

    Also, how the authorization would be handled for the user Y. As policy server would have full user DN of Y and then it can only be authorized against directory B?

     

    Regards,

    Pankaj Sharma



  • 6.  Re: How to authenticate against multiple directories

    Posted 07-24-2017 03:23 AM

    Hi Pankaj,

     

    This looks like a misconfiguration to me.

    The only way to avoid this is by configuring your directory such that the users are found in only one directory ( may be possible by changing the search base/scope ?)

     

    Regards,

    Ujwol