IBM Security Verify

 View Only

  • 1.  login attribute for ISAM LDAP runtime

    Posted Wed March 13, 2019 06:29 AM
    Hello community

    ISAM 906 is using an Active Directory as federated directory for internal users to authenticate, the email attribute is set as the login attribute in ldap.conf: basic-user-principal-attribute = mail - all good so far, internal users can login using their email.

    Now we want to allow external user registration using the internal ISAM LDAP (runtime component), but configuring the basic-user-principal-attribute to "mail" is not accepted, only "uid" will allow registered users to be able to login.

    Can I use a different attribute than "uid" to allow logging in (e.g. email address) using the internal LDAP, are additional settings to be configured (search-filter) to allow this?

    This is a demo / test environment ; ).

    Best
    bernhard



    ------------------------------
    Bernhard Hensler
    Software Engineer
    TIMETOACT GROUP
    Zurich
    +41443132028
    ------------------------------


  • 2.  RE: login attribute for ISAM LDAP runtime
    Best Answer

    Posted Wed March 13, 2019 07:11 AM
    Hi Bernhard,

    When you create a "full" user in ISAM, you specify their username as part of the create command.  This username is actually stored as the principalName on the secUser object created in cn=Users,secAuthority=Default and is (mostly) independent from the uid of the inetOrgPerson object.  So, if you want your SAM users to login with e-mail address, create them using e-mail address as username.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message