OnDemand User Group

Support Forums => MP Server => Topic started by: wan_smit on July 15, 2019, 12:42:33 AM

Title: How to force disable local authentication when connect to LDAP
Post by: wan_smit on July 15, 2019, 12:42:33 AM

Hi, we plan to upgrade from CMOD MP 9.5 to 10.1. But there have requirement abut LDAP as below.

In the case we connect CMOD with AD, we need to create the same user name on CMOD and set local password. We found that in the case of there don’t have user name in AD, CMOD will go back to do local authenticate. Customer would like to force disable local authentication if there no this user on AD. Not sure there have the way to do?

Title: Re: How to force disable local authentication when connect to LDAP
Post by: Justin Derrick on July 15, 2019, 06:15:20 AM

I think the reason this doesn't exist is because if the AD/LDAP server is down, then NOBODY can log in to CMOD -- not even administrators.  And that could cause all kinds of crazy failures - like failed loads, etc.

-JD.

Title: Re: How to force disable local authentication when connect to LDAP
Post by: rjrussel on July 15, 2019, 09:28:26 AM

Yes, you can. Set ARS_LDAP_OD_AUTHORITY_FALLBACK=FALSE in your CMOD config. The only user exempt is the CMOD admin ID.

If a user is not found in LDAP then authentication will fail.

Thanks,

RR

Title: Re: How to force disable local authentication when connect to LDAP
Post by: Justin Derrick on July 15, 2019, 12:27:30 PM

Ah!  I'm happy to be corrected and learn about a previously unknown feature...  :) 

-JD.

Title: Re: How to force disable local authentication when connect to LDAP
Post by: rjrussel on July 15, 2019, 01:27:38 PM

Here is a link that talks about many of the scenarios one might encounter when using LDAP for authentication.

http://www-01.ibm.com/support/docview.wss?uid=swg21597246 (http://www-01.ibm.com/support/docview.wss?uid=swg21597246)

-Rob