Author Topic: Changing AD UPN value - Will this break CMOD 9.5 Users Authenticating to AD?  (Read 159 times)

tjspencer2

  • Jr. Member
  • **
  • Posts: 60
    • View Profile
We are using CMOD 9.5 MP on AIX and are planning on updating our Active Directory UPN values as part of another initiative.

In AD, as I appreciate it,  there are the following userid attributes:

userPrincipalName (UPN) Current value = TESTUSER@DOMAINCONTROLLER.pri    New value = TESTUSER@emaildomain.com
sAMAccountName current value = TESTUSER      no change

We're effectively changing the userPrincipalName from a network domain to an email address.

Does anyone know if CMOD uses UPN values to authenticate users or the sAMAccountName to authenticate users?

Thanks.

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 1903
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
I suspect you'll need to change ARS_LDAP_BIND_ATTRIBUTE or ARS_LDAP_MAPPED_ATTRIBUTE from sAMAccountName to userPrincipalName...

Rob is the CMOD LDAP expert, hopefully he'll have some words of wisdom to share.

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

tjspencer2

  • Jr. Member
  • **
  • Posts: 60
    • View Profile
Derrick / Rob -

Here is my edit ars.cfg file with the LDAP section shown here below.

From what I see, I'm not seeing any reference to UPN name and only the sAMAccountName being used to connect to LDAP.

Wouldn't this make you think that any change to the UPN value would NOT affect us and is only ancillary to our use of LDAP?

###########################################
# LDAP Parameters (Library Server Only)   #
###########################################
ARS_LDAP_SERVER=ldapservername
ARS_LDAP_PORT=389
ARS_LDAP_BASE_DN=OU=ouname,DC=dcname,DC=pri
ARS_LDAP_BIND_DN=CN=binduser,OU=Generic,OU=Users,OU=ouname,DC=dcname,DC=pri
ARS_LDAP_BIND_DN_PWD=binduserpassword
ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
ARS_LDAP_ALLOW_ANONYMOUS=FALSE

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 1903
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Maybe I misunderstood...  Are you looking to use the UPN vaues for authentication in CMOD, or are they being changed (for some other reason) and you want to know if it might cause problems with Content Manager OnDemand's LDAP config?

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

tjspencer2

  • Jr. Member
  • **
  • Posts: 60
    • View Profile
Sorry Justin - I probably didn't state the change and why it was being made clearly enough - UPN values are being changed in the organization and I'm wanting to know if this might cause problems with my current CMOD LDAP config.

In looking at my ars.cfg file (attached earlier), I'm not seeing that I'm reliant on the UPN value but am instead using sAMAccountName to bind to LDAP/AD. 

I'm just trying to make sure I'm not missing anything.

Thanks.

rjrussel

  • Jr. Member
  • **
  • Posts: 54
    • View Profile
Sorry for the delay. Based on your config, you authenticate to AD using the samAccountName and also return the mappedAttribute. Since these values are unaffected by your upcoming change, you are good there. 

The other concerns are:

1.  The ARS_LDAP_BIND_DN, currently you show a psuedo example of CN=binduser,OU=Generic,OU=Users,OU=ouname,DC=dcname,DC=pri

I wonder if this is going to change to

CN=binduser,OU=Generic,OU=Users,OU=ouname,DC=emaildomain,DC=com

2. As in the previous comment you show a ARS_LDAP_BASE_DN of ouname,DC=dcname,DC=pri. I wonder if this will also change to something like
ouname,DC=emaildomain,DC=com

You should check with your AD admin as these changes would in fact break authentication.

Lastly, you probably already know this, CMOD 9.5 is officially out of support. Hopefully you either have extended support or plan on upgrading real soon.

Thanks,
Rob