Hi Scott
thanks for quick Answer. You are right it's working with weasel but with ULH. The Problem is that ULH as it has access to secauthority=Default via credentials set at ldap.conf (.init() method for Basic Users) always finds the user placed at that Domain, independent how you search. also searching with.getUserWithDomain(userName, 'TEST') brings up the user at Default Domain.
I meanwhile found a way working around I hope. I created a User having LDAP access just to Suffixes needed, looks good so far. Now need to test with our Dev system and real test environment but in my lab.
What would be really helpful is a documentation on how ULH works under the cover. I run into so many problems with e.g. HTTPProxy and clustered environment and other issues which could have avoided while knowing what exactly it does instead of reengineering with packet trace and tons of logs.
Cheers Jens
------------------------------
Jens Petersen
------------------------------
Original Message:
Sent: Wed November 22, 2023 04:16 PM
From: Scott Exton
Subject: Basic User enabled doesn't allow full User login
Jens,
The comment for the basic user suffix configuration is as follows:
# If Basic user support is enabled then the suffixes searched for Basic and
# Full users are defined here. The suffix list must include all suffixes to be
# searched from this server and Federated servers. If basic-user-no-duplicates
# is disabled and basic-user-suffix-optimizer is disabled then the order of
# this list is used to search for users. If no basic-user-search-suffix
# entries are set here then all known suffixes, in no particular order, will be
# used.
What this means is that you need to include all suffixes, including the suffix where your full ISVA users are stored. This is not the 'secAuthority=Default' suffix, but the suffix where your user entries actually reside. If you look at the 'secDN' attribute within 'principalName=?,cn=Users,secAuthority=Default' record you will find the full DN of a user, which includes the suffix where this particular ISVA user resides. This is the suffix which needs to be added to the 'basic-user-search-suffix' configuration entry.
I just tried this out in my local environment and was able to successfully authenticate both basic and full users after I had successfully configure the 'basic-user-search-suffix' configuration entry.
I hope that this helps.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 11/22/2023 1:51:00 PM
From: Jens Petersen
Subject: Basic User enabled doesn't allow full User login
Hello together,
at 10.0.4.0 I'm trying to run basic and full users in parallel. So at ldap.conf I enabled Basic-Users = YES and put Basic-User-Search-Path = SECAUTHORITY=Default and a second entry Basic-User-Search-Path = ou=....
Once Basic User is enabled I can't find any full User but the Basic Users, disabling is the other way around. Following the Documentation I would interpret both shall work in parallel with Basic-User = yes
Without setting Basic-Users-Search-Path all Usurers are found, Basic and also Full. The Downside is I can't control where the users are searched
Any suggestion welcome!
My aim is to run in parallel while I have more than one secauthority in the same LDAP with full users but may use Basic Users for both
------------------------------
Jens Petersen
------------------------------