Authentication from LDAP
Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 12:02 PM To: arslist@ARSLIST.ORG Subject: Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 12:02 PM *To:* arslist@ARSLIST.ORG *Subject:* Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events *Email Disclaimer* This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
Sivarama, I think you have a slight shroud of your understanding of how the LDAP integration works. No you do not need to import any passwords from LDAP to the ARS. The password is not communicated by the LDAP server to the AR Server, rather the response after validation is.. This means that when a user that has a blank password logs into an AR Server that is setup for LDAP authentication, the request for authentication is sent from the ARS to the LDAP server, and if the LDAP server validates the credentials to be valid, the user gets authenticated to Remedy. IF the password for the user is not blank in Remedy, then there is no request for authentication sent to the LDAP server, and the authentication happens locally.. Hope this helps.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 2:50:04 PM Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. From:Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 12:02 PM To: arslist@ARSLIST.ORG Subject: Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ TuringSMIis a Platinum Sponsor of both BMC UserWorld Events Email Disclaimer This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
Hi Joe, Hi Joe let me confirm something from you. When you say that a user who has a blank password I assume that the users password is not stored in AR Server people form or user form. Only his login name is. When he enters his user name and password to login to the user tool or midtier the password he enters gets authenticated with the LDAP and he gets access. If that is the case when I am importing data to the people form in the login tab I can see x in the password field which beats be because I am not importing any password and hence it should show blank instead of x. Do I need to change any settings in password management form?? Thanks Sivarama On Tue, Jul 29, 2008 at 12:03 PM, Joe DeSouza [EMAIL PROTECTED] wrote: ** Sivarama, I think you have a slight shroud of your understanding of how the LDAP integration works. No you do not need to import any passwords from LDAP to the ARS. The password is not communicated by the LDAP server to the AR Server, rather the response after validation is.. This means that when a user that has a blank password logs into an AR Server that is setup for LDAP authentication, the request for authentication is sent from the ARS to the LDAP server, and if the LDAP server validates the credentials to be valid, the user gets authenticated to Remedy. IF the password for the user is not blank in Remedy, then there is no request for authentication sent to the LDAP server, and the authentication happens locally.. Hope this helps.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 2:50:04 PM Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 12:02 PM *To:* arslist@ARSLIST.ORG *Subject:* Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events *Email Disclaimer* This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
When it's blank it will still show x. That one threw me off the first time I saw it too. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 2:18 PM To: arslist@ARSLIST.ORG Subject: Re: Authentication from LDAP ** Hi Joe, Hi Joe let me confirm something from you. When you say that a user who has a blank password I assume that the users password is not stored in AR Server people form or user form. Only his login name is. When he enters his user name and password to login to the user tool or midtier the password he enters gets authenticated with the LDAP and he gets access. If that is the case when I am importing data to the people form in the login tab I can see x in the password field which beats be because I am not importing any password and hence it should show blank instead of x. Do I need to change any settings in password management form?? Thanks Sivarama On Tue, Jul 29, 2008 at 12:03 PM, Joe DeSouza [EMAIL PROTECTED] wrote: ** Sivarama, I think you have a slight shroud of your understanding of how the LDAP integration works. No you do not need to import any passwords from LDAP to the ARS. The password is not communicated by the LDAP server to the AR Server, rather the response after validation is.. This means that when a user that has a blank password logs into an AR Server that is setup for LDAP authentication, the request for authentication is sent from the ARS to the LDAP server, and if the LDAP server validates the credentials to be valid, the user gets authenticated to Remedy. IF the password for the user is not blank in Remedy, then there is no request for authentication sent to the LDAP server, and the authentication happens locally.. Hope this helps.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 2:50:04 PM Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 12:02 PM To: arslist@ARSLIST.ORG Subject: Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com http://www.rmsportal.com/ ARSlist: Where the Answers Are html___ Error! Filename not specified. http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events Email Disclaimer This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
Hi Lisa, Please tell me if the options that I have enabled are appropriate and if its set the same way in your server. Then probably I will have to look at my LDAP password. Thanks Sivarama On Tue, Jul 29, 2008 at 12:44 PM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** When it's blank it will still show x. That one threw me off the first time I saw it too. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 2:18 PM *To:* arslist@ARSLIST.ORG *Subject:* Re: Authentication from LDAP ** Hi Joe, Hi Joe let me confirm something from you. When you say that a user who has a blank password I assume that the users password is not stored in AR Server people form or user form. Only his login name is. When he enters his user name and password to login to the user tool or midtier the password he enters gets authenticated with the LDAP and he gets access. If that is the case when I am importing data to the people form in the login tab I can see x in the password field which beats be because I am not importing any password and hence it should show blank instead of x. Do I need to change any settings in password management form?? Thanks Sivarama On Tue, Jul 29, 2008 at 12:03 PM, Joe DeSouza [EMAIL PROTECTED] wrote: ** Sivarama, I think you have a slight shroud of your understanding of how the LDAP integration works. No you do not need to import any passwords from LDAP to the ARS. The password is not communicated by the LDAP server to the AR Server, rather the response after validation is.. This means that when a user that has a blank password logs into an AR Server that is setup for LDAP authentication, the request for authentication is sent from the ARS to the LDAP server, and if the LDAP server validates the credentials to be valid, the user gets authenticated to Remedy. IF the password for the user is not blank in Remedy, then there is no request for authentication sent to the LDAP server, and the authentication happens locally.. Hope this helps.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 2:50:04 PM Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 12:02 PM *To:* arslist@ARSLIST.ORG *Subject:* Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ *Error! Filename not specified.* http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events *Email Disclaimer* This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___
Re: Authentication from LDAP
Authenticate Unregistered Users is not selected Cross reference blank password is selected Program Number is 390695 Ignore Excess Groups is selected On the Configuration tab, I have selected: Server Group Member Disable Escalations Disable Alerts Enable Multiple Assign Groups From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 1:50 PM To: arslist@ARSLIST.ORG Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 12:02 PM To: arslist@ARSLIST.ORG Subject: Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ Error! Filename not specified. http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events Email Disclaimer This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
Sivarama, I am not sure where you read that, but if you set up LADP for SSO you do need to have of the infomation about a user in the system. If a password is stored on the ar system, then it wiil use that, if blank it will use the LDAP (SSO). I hope that helps, hbr On 7/29/08, Lisa Westerfield [EMAIL PROTECTED] wrote: ** Authenticate Unregistered Users is not selected Cross reference blank password is selected Program Number is 390695 Ignore Excess Groups is selected On the Configuration tab, I have selected: Server Group Member Disable Escalations Disable Alerts Enable Multiple Assign Groups *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 1:50 PM *To:* arslist@ARSLIST.ORG *Subject:* Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 12:02 PM *To:* arslist@ARSLIST.ORG *Subject:* Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ *Error! Filename not specified.* http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events *Email Disclaimer* This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ -- Howard Richter Red Hat Certified Technician CompTIA Linux+ Certified ITIL Foundation Certified E-Mail = [EMAIL PROTECTED] LinkedIn Profile = http://www.linkedin.com/in/hbr4270 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
Hi Howard, I haven't set up LDAP for SSO. I will tell you what I have done. I have filled out the AR Server ARDBC and AREA configuration forms to the extent required. I have given all the authentication details for the LDAP server in the forms. I am able to access and pull the LDAP table details into my vendor form (which is indicative that the authentication is working for ARDBC). I have used the same authentication details for AREA form as well. Then I filled out the EA tab of the Server Information form. I restarted the AR Server (i changed the RPC plugin server number as directed and enabled cross reference blank password and have the authentication chaining mode setup as ARS-AREA). Now I am trying to login to Remedy User Tool using my credentials as stored in LDAP and it says that the authentication has failed. Please advice as to what more needs to be done. I would be implementing SSO as well and so please share with me if you have any idea how to set it up (I have no idea at all). Thanks Sivarama On Tue, Jul 29, 2008 at 1:40 PM, Howard Richter [EMAIL PROTECTED] wrote: ** Sivarama, I am not sure where you read that, but if you set up LADP for SSO you do need to have of the infomation about a user in the system. If a password is stored on the ar system, then it wiil use that, if blank it will use the LDAP (SSO). I hope that helps, hbr On 7/29/08, Lisa Westerfield [EMAIL PROTECTED] wrote: ** Authenticate Unregistered Users is not selected Cross reference blank password is selected Program Number is 390695 Ignore Excess Groups is selected On the Configuration tab, I have selected: Server Group Member Disable Escalations Disable Alerts Enable Multiple Assign Groups *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 1:50 PM *To:* arslist@ARSLIST.ORG *Subject:* Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 12:02 PM *To:* arslist@ARSLIST.ORG *Subject:* Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ *Error! Filename not specified.* http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events *Email Disclaimer* This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ -- Howard Richter Red Hat Certified Technician CompTIA Linux+ Certified ITIL Foundation Certified E-Mail = [EMAIL PROTECTED] LinkedIn Profile = http://www.linkedin.com/in/hbr4270 __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___
Re: Authentication from LDAP
Hi Lisa, Thanks for you help in this issue. I have one questopn for you though. Have you mapped the LDAP groups and AR Server Groups in the EA Tab. I don't have any groups mapped. Is that why I am facing this issue?? Thanks Sivarama On Tue, Jul 29, 2008 at 1:31 PM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** Authenticate Unregistered Users is not selected Cross reference blank password is selected Program Number is 390695 Ignore Excess Groups is selected On the Configuration tab, I have selected: Server Group Member Disable Escalations Disable Alerts Enable Multiple Assign Groups *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 1:50 PM *To:* arslist@ARSLIST.ORG *Subject:* Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 12:02 PM *To:* arslist@ARSLIST.ORG *Subject:* Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ *Error! Filename not specified.* http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events *Email Disclaimer* This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
No, we don't have anything mapped for Groups. What symptoms are you seeing - that may help me troubleshoot with you. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 6:37 PM To: arslist@ARSLIST.ORG Subject: Re: Authentication from LDAP ** Hi Lisa, Thanks for you help in this issue. I have one questopn for you though. Have you mapped the LDAP groups and AR Server Groups in the EA Tab. I don't have any groups mapped. Is that why I am facing this issue?? Thanks Sivarama On Tue, Jul 29, 2008 at 1:31 PM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** Authenticate Unregistered Users is not selected Cross reference blank password is selected Program Number is 390695 Ignore Excess Groups is selected On the Configuration tab, I have selected: Server Group Member Disable Escalations Disable Alerts Enable Multiple Assign Groups From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 1:50 PM To: arslist@ARSLIST.ORG Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 12:02 PM To: arslist@ARSLIST.ORG Subject: Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ Error! Filename not specified. http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC UserWorld Events Email Disclaimer This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. This message is intended for the addressee(s) only and its contents and any attached files are strictly confidential. If you have received it in error, please contact the sender on the number above. __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Authentication from LDAP
The password field is masked so the fact that you can see the ***'s do not mean anything. So if you are sure you haven't set any value either by directly mapping the password field to a column in the import file or through workflow, you could safely assume that all your passwords are null. Technically only your Demo (administrator user) user should have its password stored in the AR System if you have not created an ldap account for Demo. Its usually a good idea to keep this password in the AR System and not ldap though just in case there is an outage on the ldap server, as you will still be able to use the AR System by disabling the ldap integration - it would be a sort of a security risk as uses will have a blank password but thats another issue.. You could probably device some workflow to issue temp passwords during such an event and email them to the users, and restore them to null when you want to start using the ldap integration again.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 3:18:16 PM Subject: Re: Authentication from LDAP ** Hi Joe, Hi Joe let me confirm something from you. When you say that a user who has a blank password I assume that the users password is not stored in AR Server people form or user form. Only his login name is. When he enters his user name and password to login to the user tool or midtier the password he enters gets authenticated with the LDAP and he gets access. If that is the case when I am importing data to the people form in the login tab I can see x in the password field which beats be because I am not importing any password and hence it should show blank instead of x. Do I need to change any settings in password management form?? Thanks Sivarama On Tue, Jul 29, 2008 at 12:03 PM, Joe DeSouza [EMAIL PROTECTED] wrote: ** Sivarama, I think you have a slight shroud of your understanding of how the LDAP integration works. No you do not need to import any passwords from LDAP to the ARS. The password is not communicated by the LDAP server to the AR Server, rather the response after validation is.. This means that when a user that has a blank password logs into an AR Server that is setup for LDAP authentication, the request for authentication is sent from the ARS to the LDAP server, and if the LDAP server validates the credentials to be valid, the user gets authenticated to Remedy. IF the password for the user is not blank in Remedy, then there is no request for authentication sent to the LDAP server, and the authentication happens locally.. Hope this helps.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 2:50:04 PM Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. From:Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of sivarama velicheti Sent: Tuesday, July 29, 2008 12:02 PM To: arslist@ARSLIST.ORG Subject: Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ TuringSMIis a Platinum Sponsor of both BMC UserWorld Events Email Disclaimer This email has been sent from the TuringSMI Group This message is subject to and does not create or vary any contractual relationship between TuringSMI, SMI Technologies, SMI Telco, its subsidiaries or affiliates and you. Internet communications are not secure and therefore the TuringSMI Group does not accept any legal responsibility for the contents of this message. Any views or opinions expressed
Re: Authentication from LDAP
Thanks guys, I got the issue resolved. It turned out to be a trivial issue after all. The LDAP manager in our company has entered the wrong password which was causing the problem. Thanks for your support and your inputs are really appreciated. Thanks Sivarama On Tue, Jul 29, 2008 at 5:51 PM, Joe DeSouza [EMAIL PROTECTED] wrote: ** The password field is masked so the fact that you can see the ***'s do not mean anything. So if you are sure you haven't set any value either by directly mapping the password field to a column in the import file or through workflow, you could safely assume that all your passwords are null. Technically only your Demo (administrator user) user should have its password stored in the AR System if you have not created an ldap account for Demo. Its usually a good idea to keep this password in the AR System and not ldap though just in case there is an outage on the ldap server, as you will still be able to use the AR System by disabling the ldap integration - it would be a sort of a security risk as uses will have a blank password but thats another issue.. You could probably device some workflow to issue temp passwords during such an event and email them to the users, and restore them to null when you want to start using the ldap integration again.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 3:18:16 PM Subject: Re: Authentication from LDAP ** Hi Joe, Hi Joe let me confirm something from you. When you say that a user who has a blank password I assume that the users password is not stored in AR Server people form or user form. Only his login name is. When he enters his user name and password to login to the user tool or midtier the password he enters gets authenticated with the LDAP and he gets access. If that is the case when I am importing data to the people form in the login tab I can see x in the password field which beats be because I am not importing any password and hence it should show blank instead of x. Do I need to change any settings in password management form?? Thanks Sivarama On Tue, Jul 29, 2008 at 12:03 PM, Joe DeSouza [EMAIL PROTECTED]wrote: ** Sivarama, I think you have a slight shroud of your understanding of how the LDAP integration works. No you do not need to import any passwords from LDAP to the ARS. The password is not communicated by the LDAP server to the AR Server, rather the response after validation is.. This means that when a user that has a blank password logs into an AR Server that is setup for LDAP authentication, the request for authentication is sent from the ARS to the LDAP server, and if the LDAP server validates the credentials to be valid, the user gets authenticated to Remedy. IF the password for the user is not blank in Remedy, then there is no request for authentication sent to the LDAP server, and the authentication happens locally.. Hope this helps.. Joe - Original Message From: sivarama velicheti [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Tuesday, July 29, 2008 2:50:04 PM Subject: Re: Authentication from LDAP ** Hi Lisa, In the external authentication TAB are both the options i) authenticate - unregistered users and ii) Cross refernce blank password selected? I have external authentication plugin server program number as : 390695. One more thing in the configuration TAB what are the check boxes selected. I have enabled just i) allow unqualified searches and ii) enable multiple assign groups. Thanks Sivarama On Tue, Jul 29, 2008 at 11:11 AM, Lisa Westerfield [EMAIL PROTECTED] wrote: ** In our current implementation we are also multi-tenant, and we do not store passwords in ARS. We are authenticating externally, and our authentication chaining mode is ARS-Area. Hope that helps. *From:* Action Request System discussion list(ARSList) [mailto: [EMAIL PROTECTED] *On Behalf Of *sivarama velicheti *Sent:* Tuesday, July 29, 2008 12:02 PM *To:* arslist@ARSLIST.ORG *Subject:* Authentication from LDAP ** Hi, I have a question regarding LDAP pertaining to AR Server 7.1. I have read in the guides somewhere that unless both the user name and password are stored in the local AR Server, the users are not considered registered users. In Multi-tenancy guest users are not allowed (and we have multi-tenancy turned on). I want to know what are my options. Do I have to import the password as well. I don't think its doable because LDAP would be encrypting them and even if I do import them AR Server needs to know how to decrypt them. Is my analogy of the situation right? if so what can I do. If not please correct me. -- Sivarama __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ http://www.bmc.com/userworld/ TuringSMI is a Platinum Sponsor of both BMC
