Hi all
i have a clean build 8.1. i am experimenting with AREA 8.1 in its simplest
form, basically trying to authenticate the support staff against their local
AD... simple one might think, but no... i have been fighting with it for a
week now and seem to be getting no where fast. I am going to try and list the
symptoms and findings here in the hope that someone can help (why can the
simplest form of AD integration not be simple a few check boxes to make work
like in most apps with this feature, and bury the clever stuff that the
minority might want!!)
1. I have created a test user in AD called “test user”, with a password of
“Password1”, and a USERNAME=123456
2. I have created a people record called “Test User” with a ARS password of
“Window5” , and a USERNAME=123456
3. Placed the AD user into the default USERS container to avoid any confusion
of OU’s
4. Tested both users in their own environment to make sure they log in
5. Setup AREA form in its simplest form with
- hostname = AD server
- port = 389 (confirmed AD is answering on this port via telnet to that
port)
- bind user is my own AD account which is domain admin
- userbase = CM=Users,DC=DOMAIN (note this domain has only
a single extension, i.e. where BMC is bmc.com, in this domain it would just be
“bmc”)
- User Search Filter = userPrincipalName=%\USER$
- Group membership = None
- everything else is default
6.In the EA tab::
- RPC port = 390695
- Cross ref blank pas = CHECKED
- Auth string chaining = “AREA - ARS”
So, what happens…
- If I log into remedy using 123456 and Window5 then it logs in fine as expected
- If I log into remedy using 123456 and Password1 then it will not authenticate
I then tried a few of the different chaining modes to see what would happen.
None work except when I set it to:
- ARS – OS – AREA
At this point, I can now log into Remedy using EITHER the AD password or the
ARS password.
First question, what is “OS” in the chaining policy? I am assuming operating
system, but what settings is it using, how is it getting those details, is it
from some settings in the AREA form? I ask this, as when I went into AREA form
and mess-up up the search stings and what not, but the login using AD password
STILL worked, so it is like it does not use AREA config for the OS chaining
function.
I then fixed AREA config, but changed the “User Search Filter” to use
“displayName” and then tested login using “TestUser” as login name with AD
password, and it failed. I tried then using the USERNAME again and it still
worked!
I am now very confused, as the configuration of this in 8.1 DOES on paper look
simple. I turned logging of filter to finest but go nothing of i8ntrest… it
is like it is just not doing anything. I am just wondering have I missed a key
point… I know in 7.65 is was a lot harder, but in 8.x it is supposed to be
simpler… it installs the plugin as part of install etc, so I am just wondering
is something broke, or am I being an idiot (I suspect the latter unfortunately)
Cheers
dan
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
"Where the Answers Are, and have been for 20 years"
