Idea Details

Spectrum LDAP Integration User Enhancement

Last activity 05-31-2019 02:25 AM
Justin_Kulikowski's profile image
02-19-2014 03:01 PM

Idea:

Implement a new attribute on the user-level to disable LDAP querying, thus that Spectrum would only ever use the local CA Spectrum password.

Scenario:

  • Spectrum 9.3.0 with LDAP configured
  • A User has been created for the sole purpose of scripts using Spectrum web-services
  • Allow NonLDAP User Login = Yes has been set on the User
  • The User's CA Spectrum password has been set
  • A script was written to execute web service calls

Issue:

Everytime a Spctrum web service call is made in the script, the pcap is showing a
query against the LDAP server.  This is slowing down the script, as the
Spectrum web services needs to wait for the LDAP server to respond (with no
user found).  Additionally, this is creating unecessary requests and load on
the LDAP server.

While a typical OneClick login might only create a few LDAP queries, a script will
very likely generate hundreds of LDAP queries.


Comments

01-16-2019 09:47 AM

We have the same issue / requirement in our environment.  We have numerous scripts which make Spectrum API calls and authenticate with a "non-person" Spectrum user account.  These API calls run slowly due Spctrum first trying to authenticate the user account via LDAP.

01-07-2019 10:12 AM

Hi Justin_Kulikowski,

 

are you still using Spectrum? ... just kidding, but please prepare the birthday candles for your idea (-;

 

Nagesh_Jaiswal: what else is needed besides plenty of votes and "some" time to discuss such idea within CA?

We could possible imagine, that implementing the requested feature does not take more time than writing all the above posts.

 

tec details:

- new attribute on models of type User, data type boolean, e.g.: useLDAP

- currently the authentication routine takes 2 variables into account:

    isLDAPConnectionConfigured (global)

    allowNonLDAPUserLogin (user level)

- an additional check within the authentication routine needs to take 1 more variable into account:

    useLDAP (user level)

 

regards,

Raphael

01-02-2019 06:06 AM

Not only that we don't see things getting realised, there is almost no feedback from CA. And this seems to be an issue with an straight forward fix.

12-19-2018 08:17 AM

This effects also CAPM - Spectrum Integration.

This idea is nearly 5 years old. CA, don't you think, it's time to do something?

Why should we post ideas while nearly nothing will be realized?

12-08-2018 06:18 AM

*10.3

12-06-2018 11:40 AM

This still has not been implemented as of Spectrum v10.2.3 ; I would love to have the option for a "script" account that is used for restful API calls to NOT have to authenticate with LDAP and fail, then check the local account/password.  Why waste the time and resources with LDAP when it's known they are going to fail 100% of the time?

01-15-2016 04:06 AM

We actually get too many unsucessful logins Alarms from LDAP for such an user (script user which dos not exist in LDAP, but in Spectrum)...

12-20-2015 04:46 AM

A solid idea   I would also venture to add this attribute to user groups. If I recall they have a fallback for LDAP to use local authentication, but they can't be excluded from LDAP queries.

12-08-2015 09:06 AM

NAGESH JAISWAL wrote:

 

May be we can add a flag to enable/disable the check.

 

Yes, that's what this Idea Submission is all about.  Adding a new flag/attribute on the user-level to control querying LDAP, in the event you want a specific User account to still be a "local account".

 

As an example, Performance Center handles this by having a user-level field called "Authentication Type", where the possible values are "External" (LDAP) or "Performance Center" (Local).

12-08-2015 12:42 AM

Hello Justin_Kulikowski,

 

I understand the idea you posted. If we stop the check going to LDAP for verification then it break the current integration. Let me go back and review this with team. May be we can add a flag to enable/disable the check.

 

Thanks,

Nagesh

12-07-2015 04:12 PM

Great idea!!

We use the Rest-APIs a lot and get many error messages

 

I would like to get your Enhancement!

12-07-2015 01:44 PM

I don't know that you understood this Idea Submission, or perhaps I just didn't understand your response.

12-07-2015 05:21 AM

Hello Justin_Kulikowski,

 

Thanks for posting idea for CA Spectrum.

 

We allow to create a user which can use Spectrum credentials in case of LDAP is down or not available. This is the core feature of this integration. Allowing dual logins will defeat such integration purpose.

 

Thanks,

Nagesh