1 Reply Latest reply: Nov 21, 2012 8:48 AM by OldGuy RSS

    OVDAuthenticator

    OldGuy
      We have installed IDM/OAM Suite 11.1.1.6 on a RHEL5.6 server. Our protected resource is a Sparc10 workstaton using OpenLDAP and Apache2.2. Everything works "fine"... we can access the protected resource through the appropriate logins and x509 where setup...

      The issue is that the customer has 57,000 users in their OpenLDAP respository and when we log into their resource the managed server logfile (where the resource is deployed) dumps the full DN of every user in the system... TWICE....

      OVDAuthenticator is defined for the following: (the host, port, and principal are correct so they will not be included)

      User Base DN: cn=users,<domain>
      All User Filter: (&(uid=*)(objectclass=inetOrgPerson))
      User from Name Filter: (&(uid=%u)(objectclass=inetOrgPerson))
      User Name Attribute: uid
      User Objectclass: inetOrgPerson

      Group Base DN: ou=groups,<domain>
      All Groups Filter: (&cn=*)(objectclass=groupofnames))
      Group from Name Filter: (&cn=*)(objectclass=groupofnames))

      Static Group Name Attr: cn
      Static Group ObjectClass: groupofnames
      Static Member DN Attr: member
      Static Group DN from Member DN Filter: (&(member=%M)(objectclass=groupofnames))

      Dynamic Group Name Attr: cn
      Dynamic Group objectclass: groupofnames
      Dynamic member URL Attr: member


      As we looked through the logfile, we noticed the following:

      user not found in getCachedIdentity(testuser)
      getDNForUser search("cn=users,<domain>")
      DN for user testuser
      user exists
      LDAP Atn Asserted Identity: testuser belongs to
      DN for user testuser
      search("ou=groups,<domain>", (&(member=cn=testuser,cn=users,<domain>)(objectclass=groupofnames)), base DN & below
      Result has more elemnts: true
      search("ou=groups,<domain>", (objectclass=groupofnames)", base DN & below
      advance dyn group entity=LDAPEntry: cn=myUsers,ou=groups,<domain>; LDAPAttributeSet: LDAPAttribute {type='member', values='cn=Manager,<domain>,cn=<all the other users>...'}


      Even though testuser is found in the repository, the "advance dyn group entity" statement will then retrieve every user in the system twice.

      Does anyone have any idea why this might be happening? Just need some guidance....
        • 1. Re: OVDAuthenticator
          OldGuy
          .
          Is there any way of adding a parameter to the OVD Authenticator search? For example, when we execute the ldapsearch with no parameter we get all the members listed in the client's ldap returned to the logfile, but if we include "dn" or "cn at the end of the search command -- only the group we want returns.

          Returns all the users that are in the group:
          *ldapsearch -d localhost -p 6051 -D "cn=orcladmin" -w <pwd> -s sub -b "ou=groups,<domain>" "(&(member=cn=testuser,cn=users,<domain>)(objectclass=groupofnames))"*

          Returns only the group dn:
          *ldapsearch -d localhost -p 6051 -D "cn=orcladmin" -w <pwd> -s sub -b "ou=groups,<domain>" "(&(member=cn=testuser,cn=users,<domain>)(objectclass=groupofnames))" +dn+*


          The Static Group DNs from Member DN Filter is:
          *(&(member=%M)(objectclass=groupofnames))*

          Any way of adding "dn" as a parameter to this search criteria?

          .