IBM Verify

 View Only
  • 1.  Basic User enabled doesn't allow full User login

    Posted Wed November 22, 2023 01:51 PM
    Edited by Jens Petersen Wed November 22, 2023 02:04 PM

    Hello together,

    at 10.0.4.0 I'm trying to run basic and full users in parallel. So at ldap.conf I enabled Basic-Users = YES and put Basic-User-Search-Path = SECAUTHORITY=Default and a second entry Basic-User-Search-Path = ou=....

    Once Basic User is enabled I can't find any full User but the Basic Users, disabling is the other way around. Following the Documentation I would interpret both shall work in parallel with Basic-User = yes

    Without setting Basic-Users-Search-Path all Usurers are found, Basic and also Full. The Downside is I can't control where the users are searched

    Any suggestion welcome!

    My aim is to run in parallel while I have more than one secauthority in the same LDAP with full users but may use Basic Users for both 



    ------------------------------
    Jens Petersen
    ------------------------------



  • 2.  RE: Basic User enabled doesn't allow full User login

    Posted Wed November 22, 2023 04:17 PM

    Jens,

     

    The comment for the basic user suffix configuration is as follows:

     

    # If Basic user support is enabled then the suffixes searched for Basic and

    # Full users are defined here.  The suffix list must include all suffixes to be

    # searched from this server and Federated servers.  If basic-user-no-duplicates

    # is disabled and basic-user-suffix-optimizer is disabled then the order of

    # this list is used to search for users.  If no basic-user-search-suffix

    # entries are set here then all known suffixes, in no particular order, will be

    # used.                              

     

    What this means is that you need to include all suffixes, including the suffix where your full ISVA users are stored.  This is not the 'secAuthority=Default' suffix, but the suffix where your user entries actually reside.  If you look at the 'secDN' attribute within 'principalName=?,cn=Users,secAuthority=Default' record you will find the full DN of a user, which includes the suffix where this particular ISVA user resides.  This is the suffix which needs to be added to the 'basic-user-search-suffix' configuration entry.

     

    I just tried this out in my local environment and was able to successfully authenticate both basic and full users after I had successfully configure the 'basic-user-search-suffix' configuration entry.

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: Basic User enabled doesn't allow full User login
    Best Answer

    Posted Thu November 23, 2023 12:04 PM
    Edited by Wendy Batten Fri December 01, 2023 06:54 AM

    Hi Scott

    thanks for quick Answer. You are right it's working with weasel but with ULH. The Problem is that ULH as it has access to secauthority=Default via credentials set at ldap.conf (.init() method for Basic Users) always finds the user placed at that Domain, independent how you search. also searching with.getUserWithDomain(userName, 'TEST') brings up the user at Default Domain.

    I meanwhile found a way working around I hope. I created a User having LDAP access just to Suffixes needed, looks good so far. Now need to test with our Dev system and real test environment but in my lab.

    What would be really helpful is a documentation on how ULH works under the cover. I run into so many problems with e.g. HTTPProxy and clustered environment and other issues which could have avoided while knowing what exactly it does instead of reengineering with packet trace and tons of logs.

    Cheers Jens



    ------------------------------
    Jens Petersen
    ------------------------------