CA Service Management

Expand all | Collapse all

Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

  • 1.  Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 03-19-2015 05:41 AM

    Hi community,

     

    i´m trying to setup the USS in our 14.1 AA configuration with CA Service Catalog and SDM. I managed to get the USS running whit EEM authentication. In our EEM we have multiple LDAP´s as User Store defined. One LDAP has the default Attribute Mapping "Microsoft Active Directory" which is using the sAMAccountName for "User name". Another LDAP has a customized mapping where the userPrincipalName is used for the "User Name".

     

    Domain1:

    - sAMAccountName

    - User Name in EEM (example): Name1

     

    Domain2:

    - userPrincipalName

    - User Name in EEM (example): Name2@domain2.com

     

    The problem is, that i´m only able to login to USS with users of Domain1 with "Name1" as Username in the USS login screen. If i enter "Name2@doamin2.com" as username i get a "UserScreenNameException" error message. Authentication is set to "By Screen Name" in USS. I also set the "bypass.liferay.screenname.validation=true" value in the portal-ext.properties.

     

    The question is why the userPrincipalName can not be used and whats happening if i have two different domains with sAMAccountName mapping in EEM and there are a user John.Doe in each domain?

    I hope the problem is explained properly and someone has the crucial information for me.

     

    Feel free to ask for more information!

     

    NOTE: I don´t know how important this is at this point, but the users of the different domains in EEM are also in the MDB in different tenants:

              -     Domain1 = Tenant1, userid in MDB like "domain1\Name1"

              -     Domain2 = Tenant2. userid in MDB like "Name2@domain2.com"

     

    Thanks!

    Alex



  • 2.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Broadcom Employee
    Posted 03-19-2015 08:21 AM

    Hi Alex,

     

    Is there a possibility that Domain1  based users can also be authenticated by their userprincipalname?   Note: This might have a wider impact if you're considering Catalog/SDM which already have data in the MDB for those users.

     

    If not, please do open a Support Case for this.  Our Engineering started coding some changes to USS so that it allows users with "@" in the username can be authenticated properly. USS as it stands today, doesn't allow @  in a screenname. So, I believe the above code fix would help here. 

     

    _R



  • 3.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Broadcom Employee
    Posted 03-19-2015 08:30 AM

    Hi Alex,

     

    userPrincipalName can be used as username in USS.

    Based on your description I understand your are getting UserScreenNameException, because @ symbol is not allowed character for screenname(username) in USS.


    However, I remember recently CA Sustenance Engineering team created a patch to resolve this issue.

    I would request you to contact CA Support, they can help you in getting this patch.


    Thanks & Regards

    P.Vallinayagam



  • 4.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 03-19-2015 09:31 AM

    Hi,

     

    thanks for the answers! I opened a case at the support and hopefully i get the patch.

     

    Do someone know something about the fact, that i cannot pass the domain for the user, for example Domain\Username ?  How about the case that two users with the same username exists in two different Domains? Is there a possibility so set a domain in the USS for EEM authentication? For example to create a USS instance for Domain1 and another USS instance for Domain2 ?

     

    Best regards

    Alex



  • 5.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Broadcom Employee
    Posted 03-24-2015 05:13 AM

    Alex,

     

    Can you tell us what is the error message you are getting (in logs) when you are trying to login with domain\username format

     

    Regards

    P.Vallinayagam



  • 6.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 03-25-2015 04:56 AM

    Hi,

     

    here some new information about the USS login:

     

    To allow special characters in the screenName the option "bypass.liferay.screenname.validation=true"  has to be "true" in the portal-ext.properties. Nevertheless there is a limitation to max. 12 characters! This could be the problem with the "user.name@domain.com" version.

    The problem with passing Domain\Username as screenName is, that the EEM searches for the screenName as the "User Name". The User Name in EEM is only "Username" and not "Domain\Username".

    A possibility is to switch the USS login to Email address. Therefore you have to switch the LDAP Attribute Mapping in EEM for the User Store to Email

     

    User Authentication Filter: (&(objectClass=user)(!(objectClass=computer))(mail={UserName}))

     

    So we first have to have a look at our architecture and integration of all products together, because we cannot switch the authentication for all products to email address at this point.

     

    Nevertheless there is one important question: How can i manage which user is allowed to login?   -> For example to create a USS instance for Domain1 and another USS instance for Domain2 ?

     

    Best regards,

    Alex



  • 7.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 04-07-2015 01:43 PM

    Would it not be possible to use both attributes in EEM?
    In the authentication filter use userPrincipalName and sAMAccountType.
    I have a similar problem on my company.



  • 8.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 04-08-2015 02:12 AM

    Hi Marcos,

     

    i tried to set both but its not possible. You cannot set both because the {UserName} in the User Authentication Filter: (&(objectClass=user)(!(objectClass=computer))(mail={UserName})) is a fix value from EEM. I tried something like

     

    (&(objectClass=user)(!(objectClass=computer))(|(sAMAccountName={UserName})(mail={UserName}))  but the underlined {UserName} value does not work. If someone has a better syntax where the {UserName} is needed only one time in the string maybe it could work!?

     

    It is also not possible to add the same Domain two times with two different LDAP Attribute Mappings.

     

    greetings



  • 9.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 04-08-2015 09:58 AM

    Hi A.Toeller,

    Thanks for the information, but did get a positive result keeping the userPrincipalName attribute for the "Username" and the "Pre user filter" with the sAMAccountName.

    Today we have customers using <account@domain> and only the <account>.



  • 10.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 04-09-2015 02:17 AM

    Hi Marcos,

     

    i am not sure if i understand your configuration correctly. Could you explain your config based on screenshots?

     

    Thanks!

    Alex



  • 11.  Re: Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores

    Posted 04-15-2015 12:52 PM

    A.Toellner escreveu:

     

    Hi Marcos,

     

    i am not sure if i understand your configuration correctly. Could you explain your config based on screenshots?

     

    Thanks!

    Alex

    Hello, here are the pictures.

     

    We in AD the "Name" attribute equal to "Account" with it was possible to obtain the positive results of two Logon options in SDM.

    In CA EEM, made the following changes in attributes:

     

    • User name: sAMAccountName changed to userPrincipalName
    • Name: givenName changed to sAMAccountName

     

    In Pre user filter:

     

    • Before it was: (&(objectClass=user)(!(objectClass=computer))(userPrincipalName=
    • It has changed to: (&(objectClass=user)(!(objectClass=computer))(sAMAccountName=

     

    I hope it helps.

     

    CAEEM_1.png

    CAEEM_2.png