I stopped using EEM for provided for authentication for Spectrum, as you'll not be able to login to Spectrum if EEM fails. The failback mechanism for authentication on OneClick allows login using Spectrum stored password, if the LDAP is not available.
I am using EEM but just as a proxy to the LDAP domains to be queried. There's a procedure for enabling LDAP on the underlying CA Directory in EEM. Basically you're querying the LDAP on CA Directory that points to the rest of the LDAP domains. In case of any LDAP failure, at least the SuperUsers will be able to login to the system.
I was not able to find the legacy technical document, but I was able to find a local copy that I had. This is the content of the document. It relates to CA Service Desk, but it applies to any tool that uses CA EEM.
---
Tech Document
Title: If we are not have a LDAP server in our environment, like Active Directory, may we use EEM (eIAM) as the LDAP server for Service Desk? We would like to use it for both authentication and to share contact data with Service Desk.
Description:
This solution offers a method to use eIAM as the LDAP server for Service Desk.
Solution:
Service Desk can use EEM(eIAM) for authentication by running Service Desk Configuration and selecting the checkbox for "Use EIAM Authentication".
For syncing contact data using the Service Desk - LDAP integration configured in Service Desk Options Manager, EEM may be used if it is using its own internal store.
More information on the LDAP Integration options is available in the online Help documentation, including integrating Service Desk with EEM.
The following list a sample of how the options should be configured, this may differ in your environment based on your configuration:
Prior to configuring Service Desk, you must modify the following file:
CA\eTrust Directory\dxserver\config\knowledge\iTechPoz-<hostname>-Router.dxc
Change:
address = tcp localhost port 1684
To:
address = tcp localhost port 1684, tcp "<hostname>" port 1684
Where <hostname> is the host name of the eIAM server.
Recycle the following Windows Services or Unix Daemons:
eTrust Directory - iTechPoz-<hostname>
eTrust Directory - iTechPoz-<hostname>-Router
eTrust Directory SSL daemon - iTechPoz-Server
iTechnology iGateway 4.2
Note: EEM is configured "out of box" to allow for Anonymous connections for ldap queries, so do not install the "ldap_dn" and "ldap_pwd" options.
"ldap_host" = <your EEM server hostname or IP address>
"ldap_enable" = <optional - see help on this option for more details>
"ldap_port" = 1684
"ldap_search_base" = cn=Users,cn=Entities,cn=iTechPoz
"ldap_service_type" = eIAM
"ldap_user_object_class" = "pozObject"
Other LDAP options are not used.
To test the integration will work prior to recycling Service Desk, run "ldap_test -a *.
It should return output like the following:
ldap_test -a *
Starting ldap_test...
LDAP service type=eiam
Service Desk platform=windows
Using search base=cn=Users,cn=Entities,cn=iTechPoz
Using filter=(objectClass=pozObject)
ldap_init(141.202.148.131,1684): (Success)
ldap_bind_s() (Success)
LDAP API Verion 3
ANSI Code Page 1252
4 LDAP records found...
DN: cn=Administrator,cn=Users,cn=Entities,cn=iTechPoz
objectClass(9)(0): pozObject
userPassword(33)(0): {SHA}tTd/ny3WDbB41i6XUiWPpc8Nvls=
cn(13)(0): Administrator
pozClass(5)(0): O_E_U
pozId(37)(0): 857643be-walsh04wiki47bc847d-895b28-e
pozGeneration(1)(0): 1
pozLocation(24)(0): /iTechPoz/Entities/Users
pozLabel(8)(0): PozAdmin
pzPasswordChangeDate(10)(0): 1203537094
pzSuspended(5)(0): false
pzOverridePasswordPolicy(5)(0): false
pzChangePasswordNextLogin(5)(0): false
pzIncorrectLoginCount(1)(0): 0
pzUserName(13)(0): Administrator
pzDisableDate(1)(0): 0
pzPasswordTimeToWarn(5)(0): false
pzPasswordExpireTime(1)(0): 0
pzPasswordDigest(32)(0): 70039654eihrbwJwHBi/02d+Uztbww==
pzEnableDate(1)(0): 0
pzSuspendedDate(1)(0): 0
pzLastName(13)(0): Administrator
If ldap_test is successful, recycle the Service Desk Daemon Server service in Windows or Daemon in Unix.
Functionality achieved:
- Users will authenticate through EEM, an external LDAP Directory server like Active Directory or Sun One is no longer required
- If a contact exists in EEM, but not in Service Desk, when logging in to Service Desk, their contact record will be created automatically ("ldap_enable_auto" option).
- Contacts may be updated with details from EEM by running "ldap_sync".
- When editing a contact in Service Desk, it is now possible to use the "Merge Ldap" button to update the individual contact with data from EEM
----
To answer your questions:
a) No. If the EEM is not available nobody is able to login.
b) All local users have their own password setup, when you create the users. That the local password.
------------------------------
Senior Consultant
SolvIT Networks
------------------------------
Original Message:
Sent: 11-22-2020 12:47 PM
From: José Carlos Soares Oliveira
Subject: Spectrum 10.4.1 and EEM
We currently have a Spectrum setup which we would like to integrate with EEM (in a multi-domain setup).
Questions:
- Once we setup Spectrum authentication to be handled by EEM will we continue to login to OneClick with the local Super Users?
- In case of rollback (disabling EEM integration) what will happen to the current local users? Will their passwords be preserved?
Any help would be appreciated.
José Carlos