IBM Verify

We are running ISAM 9.0.7.1 and we are running into an issue where a UID exists in two different locations in LDAP and causing the authentication to fail.  The webseals is authenticating the user in our scenario since we are using oAuth.  We had experienced this issue a couple years ago with another set of projects where pkmslogin.forms was failing with same duplicate IDs and we resolved the issue by setting ACL permissions in SDS to allow the webseals bind credentials to allow access to the particular OU in the LDAP tree.

It would be great if rather than changing ACLs in LDAP, we can configure the DN to search/authenticate for the ID in webseal.conf rather than searching the entire suffix as configured in the ldap.conf.  We use ISAM for many different tenants so we can't change the ldap.conf or we break many websites.  Does anyone know if this particular configuration exists in 9.0.7.1?

Thanks

------------------------------
Troy Burkle
------------------------------

Original Message:
Sent: 3/24/2021 10:58:00 AM
From: Troy Burkle
Subject: Can Webseal search a specific DN in LDAP

We are running ISAM 9.0.7.1 and we are running into an issue where a UID exists in two different locations in LDAP and causing the authentication to fail.  The webseals is authenticating the user in our scenario since we are using oAuth.  We had experienced this issue a couple years ago with another set of projects where pkmslogin.forms was failing with same duplicate IDs and we resolved the issue by setting ACL permissions in SDS to allow the webseals bind credentials to allow access to the particular OU in the LDAP tree.

It would be great if rather than changing ACLs in LDAP, we can configure the DN to search/authenticate for the ID in webseal.conf rather than searching the entire suffix as configured in the ldap.conf.  We use ISAM for many different tenants so we can't change the ldap.conf or we break many websites.  Does anyone know if this particular configuration exists in 9.0.7.1?

Thanks

------------------------------
Troy Burkle
------------------------------

Thanks Scott.

This would be a very handy configuration to have.  We use LDAP in a large financial corporation with many business units storing users in LDAP.  Each business unit is setup at the moment with their own OU for their user repository.  It would be very nice to be able to allow the webseal to focus it's user search on a particular subtree (DN) in LDAP.  


------------------------------
Troy Burkle
------------------------------

Original Message:
Sent: Wed March 24, 2021 04:41 PM
From: Scott Exton
Subject: Can Webseal search a specific DN in LDAP

Troy,

 

I could be wrong, but unfortunately I don't believe that there is any way that you can configure the DN to be searched during authentication. You might be able to do something by customising the search filter ([ldap] user-search-filter).

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/24/2021 10:58:00 AM
From: Troy Burkle
Subject: Can Webseal search a specific DN in LDAP

We are running ISAM 9.0.7.1 and we are running into an issue where a UID exists in two different locations in LDAP and causing the authentication to fail.  The webseals is authenticating the user in our scenario since we are using oAuth.  We had experienced this issue a couple years ago with another set of projects where pkmslogin.forms was failing with same duplicate IDs and we resolved the issue by setting ACL permissions in SDS to allow the webseals bind credentials to allow access to the particular OU in the LDAP tree.

It would be great if rather than changing ACLs in LDAP, we can configure the DN to search/authenticate for the ID in webseal.conf rather than searching the entire suffix as configured in the ldap.conf.  We use ISAM for many different tenants so we can't change the ldap.conf or we break many websites.  Does anyone know if this particular configuration exists in 9.0.7.1?

Thanks

------------------------------
Troy Burkle
------------------------------

We have configured federated directories & specified one OU for users and another for groups. 

I believe you may be able to use the ignore-suffix attribute in ldap.conf as well.

Regards,

------------------------------
sudhir kapu
------------------------------

Original Message:
Sent: Wed March 24, 2021 09:59 PM
From: Troy Burkle
Subject: Can Webseal search a specific DN in LDAP

Thanks Scott.

This would be a very handy configuration to have.  We use LDAP in a large financial corporation with many business units storing users in LDAP.  Each business unit is setup at the moment with their own OU for their user repository.  It would be very nice to be able to allow the webseal to focus it's user search on a particular subtree (DN) in LDAP.  


------------------------------
Troy Burkle

Original Message:
Sent: Wed March 24, 2021 04:41 PM
From: Scott Exton
Subject: Can Webseal search a specific DN in LDAP

Troy,

 

I could be wrong, but unfortunately I don't believe that there is any way that you can configure the DN to be searched during authentication. You might be able to do something by customising the search filter ([ldap] user-search-filter).

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/24/2021 10:58:00 AM
From: Troy Burkle
Subject: Can Webseal search a specific DN in LDAP

We are running ISAM 9.0.7.1 and we are running into an issue where a UID exists in two different locations in LDAP and causing the authentication to fail.  The webseals is authenticating the user in our scenario since we are using oAuth.  We had experienced this issue a couple years ago with another set of projects where pkmslogin.forms was failing with same duplicate IDs and we resolved the issue by setting ACL permissions in SDS to allow the webseals bind credentials to allow access to the particular OU in the LDAP tree.

It would be great if rather than changing ACLs in LDAP, we can configure the DN to search/authenticate for the ID in webseal.conf rather than searching the entire suffix as configured in the ldap.conf.  We use ISAM for many different tenants so we can't change the ldap.conf or we break many websites.  Does anyone know if this particular configuration exists in 9.0.7.1?

Thanks

------------------------------
Troy Burkle
------------------------------

What I would do, is look at the functions available in the javascript library. ISVA does not allow you to install your own libraries.
In the libraries, you can try to bind to LDAP server, do ldap searches, retrieve whatever you want. But this requires quite a lot of coding. You could also invoke a remote rest api that will do the same, and only return what you need.

This would provide you the ability to do anything you want.

There is also the possibility of using EAI for this.

I never did call LDAP from the javascript, creating a workaround, but I guess it would work fine, as long as the libraries allow you to do this.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu March 25, 2021 09:35 AM
From: sudhir kapu
Subject: Can Webseal search a specific DN in LDAP

We have configured federated directories & specified one OU for users and another for groups. 

I believe you may be able to use the ignore-suffix attribute in ldap.conf as well.

Regards,

------------------------------
sudhir kapu

Original Message:
Sent: Wed March 24, 2021 09:59 PM
From: Troy Burkle
Subject: Can Webseal search a specific DN in LDAP

Thanks Scott.

This would be a very handy configuration to have.  We use LDAP in a large financial corporation with many business units storing users in LDAP.  Each business unit is setup at the moment with their own OU for their user repository.  It would be very nice to be able to allow the webseal to focus it's user search on a particular subtree (DN) in LDAP.  


------------------------------
Troy Burkle

Original Message:
Sent: Wed March 24, 2021 04:41 PM
From: Scott Exton
Subject: Can Webseal search a specific DN in LDAP

Troy,

 

I could be wrong, but unfortunately I don't believe that there is any way that you can configure the DN to be searched during authentication. You might be able to do something by customising the search filter ([ldap] user-search-filter).

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/24/2021 10:58:00 AM
From: Troy Burkle
Subject: Can Webseal search a specific DN in LDAP

We are running ISAM 9.0.7.1 and we are running into an issue where a UID exists in two different locations in LDAP and causing the authentication to fail.  The webseals is authenticating the user in our scenario since we are using oAuth.  We had experienced this issue a couple years ago with another set of projects where pkmslogin.forms was failing with same duplicate IDs and we resolved the issue by setting ACL permissions in SDS to allow the webseals bind credentials to allow access to the particular OU in the LDAP tree.

It would be great if rather than changing ACLs in LDAP, we can configure the DN to search/authenticate for the ID in webseal.conf rather than searching the entire suffix as configured in the ldap.conf.  We use ISAM for many different tenants so we can't change the ldap.conf or we break many websites.  Does anyone know if this particular configuration exists in 9.0.7.1?

Thanks

------------------------------
Troy Burkle
------------------------------