IBM Security Verify

 View Only

  • 1.  ISAM - Federated Active Directory

    Posted Tue November 24, 2020 08:16 AM

    Hi,

    Are there any logs that are related to Federated User Registry?

    Even though basic-user-support set to yes, I cannot see AD users from Policy Administration.
    Also, once I set basic-user-support to yes, Policy Administration does not show the ISAM LDAP Users.



    ------------------------------
    Prashant Narkhede
    ------------------------------


  • 2.  RE: ISAM - Federated Active Directory

    Posted Tue November 24, 2020 09:02 AM
    Hi Prashant,

    One quick suggestion based on the symptoms you describe:

    Have you updated the basic-user-principal-attribute ?

    If you did, make sure you did NOT change this setting in the main part of the configuration.  That needs to stay as uid.
    To change the attribute used for user lookup in a federated directory, you need to add a new basic-user-principal-attribute setting under the stanza for the federated directory.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: ISAM - Federated Active Directory

    Posted Thu November 26, 2020 11:00 AM
    Hi Jon,

    Thank you for your inputs.

    Yes, I have updated the basic-user-principal-attribute under Federated Directory Stanza with sAmAccountName, and the basic-user-principal-attribute which is part of the main configuration is still set to uid.

    I have one basic question about the appliances. 
    There are two appliances as part of our ISAM appliance. One acting as Policy Server and another one acting as WebSEAL Server.
    WebSEAL server is configured with a remote policy server.

    How the federated registry should be configured here? on both appliances? 
    Also, do I need to configure a cluster between these two appliances? My understanding is that cluster should be set up between two policy server appliances and not between the policy server and the WebSEAL server.








     

    ------------------------------
    Prashant Narkhede
    ------------------------------

    Original Message


  • 4.  RE: ISAM - Federated Active Directory

    Posted Thu November 26, 2020 11:15 AM
    Prashant,

    If your Reverse Proxy appliance is not in the cluster then you must perform the federation configuration on this appliance.

    If your Reverse Proxy appliance is part of the cluster then I think the base configuration files (including ldap.conf) will be replicated by the cluster.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message