Use > Hardening > Universal CMDB Login Authentication > Hybrid User Management with Multiple User Repositories

Hybrid User Management with Multiple User Repositories

When you have LDAP server(s) configured, you can also authenticate with UCMDB users. This allows you to perform hybrid user management with multiple user repositories.

Important Make sure you have the UCMDB server connection to LDAP server(s) up and running when the upgrade is running.

Tip If the UCMDB can not connect to the LDAP server during the upgrade, all the users will have UCMDB as user repository. By default UCMDB has the highest priority, so the LDAP users will not be able to authenticate if they do not specify the repository (like email address or Windows domain name).

In case the upgrader fails to fill the proper user repository, you can delete the users with external flag. Those users will be recreated anyway during authentication. The side effect is that those users will lose their preferences and assigned role mappings.

You can delete the users either via the UCMDB UI or by executing the following SQL statement on the database:

DELETE from URM_RESOURCES where TYPE like 'Auth_USER' AND TEXT_DATA like '%isExternal="true"%'

Note For information about how to configure LDAP authentication settings, see How to Define LDAP Servers and Enable LDAP Authentication Method.

On UCMDB UI, when an user is created, it will always be from the UCMDB repository.

When you configure an LDAP server, hybrid user management is enabled.

How the hybrid user management authentication mechanism works

Starting with 10.32, you can specify the user repository as the domain part of an email address or a Windows domain user.

Here is how the enhanced hybrid user management authentication mechanism works in different scenarios:

  1. No repository is specified: It selects the user from the repository with the highest priority that contains a user with that name.

    So if you have two user repositories UCMDB (the highest priority) and mydomain.com, and you have a user test in both repositories, then when you try to log in with the username test, the authentication mechanism will always choose UCMDB (highest priority).

    If you have user test2 only in mydomain.com, and you try to log in, it will choose mydomain.com because UCMDB does not have this user.

    If you have user test3 in both user repositories, but you changed the priority of mydomain.com to the highest, then the authentication mechanism will always choose mydomain.com during the authentication process.

    Note To change the priority of a repository, see How to change the priority of a repository using JMX.

  2. The repository is specified as an email address or Windows domain user:

    1. Valid user repository: If the email/domain user are valid, it extracts the user and repository from them.

      1. The repository is a configured user repository: In this case it means a valid user ID (username + repository) exists. The authentication mechanism will use the user ID extracted for all the calls. User repository matching is case insensitive. The full domain does not have to be specified, only an ending part of it (see in example).
      2. The repository is not a configured user repository: In this case the username is used as the full email/domain address.

    2. Invalid user repository: The UCMDB UI validates the input using the ESAPI.

Example:

The following user repositories are configured:

  • UCMDB - priority 1
  • sub1.mydomain.com - priority 2
  • sub2.mydomain.com - priority 3

We have the following users:

  • UCMDB: user1, user2
  • sub1.mydomain.com: user1
  • sub2.mydomain.com: user2, user3@gmail.com

Here is how the hybrid user management authentication mechanism maps the users to repositories:

  • user → repository (case from above)
  • user1 → UCMDB (1)
  • user1@UcMdb → UCMDB (2.a.i)
  • ucmdb\user1 → UCMDB (2.a.i)
  • user1@sub1.mydomain.com → sub1.mydomain.com (2.a.i)
  • user1@mydomain.com → sub1.mydomain.com (2.a.i)
  • mydomain.com\user2 → sub1.mydomain.com (2.a.i) *** (even if the user does not exist on this host, the highest priority user repository ending with mydomain.com is selected)
  • user3@gmail.com → sub2.mydomain.com (2.a.ii)
  • user@sf4^$5 → no repository (ESAPI error)

LW-SSO, CAC, URL authentication, and WSDL authentication

All these mechanisms work as the UI login:

  • LW-SSO: The cookie can specify user repository in the username: ucmdB\ldap3u1
  • CAC: The certificate can contain in the field that specified the name: ldap3u1@mydomain.com
  • URL authentication: The username can specify the repository like the following:

    https://<username>.<domain>:8443/ucmdb-ui/cms/directAppletLogin.action?&userName=sub1.mydomain.com\ldap2u1&password=hXSMV66FyPjNFVAC8wH2sA==

  • WSDL authentication: You can also authenticate on WSDL using hybrid user management. To do this, the user’s ID must be composed of name, followed by ### and repository (in the format of <username>###<repository>). For example, admin###UCMDB.

    When you authenticate on UCMDBManagementService, the user’s ID must be sysadmin, and no repository should be specified.

How to change the priority of a user repository using JMX

In hybrid user management you have multiple user repositories, each user repository has a priority value. When a user repository has the highest priority value, the authentication mechanism will always select that user repository first. You can invoke the JMX method getUserRepositories to check the priority values for your existing user repositories.

Therefore, when performing hybrid user management with multiple user repositories, you may want to change the priority of an existing user repository to make sure the authentication mechanism will select that repository first.

To do so,

  1. On the UCMDB server, launch the Web browser and enter the following address: https://localhost:8443/jmx-console

    You may have to log in with a user name (default: sysadmin) and password.

  2. Locate UCMDB:service=LDAP Services and click the link to jump to the Operations table.

  3. Locate the getUserRepositories operation, and click Invoke to get the priority values for the existing user repositories.

  4. Go back to the UCMDB:service=LDAP Services Operations table, and locate the changeUCMDBUserRepositoryPriority operation.

  5. In the Value field for the user repository of your choice, specify a value between 1 and 10 (1 highest, 10 lowest).
  6. Click Invoke.

  7. Restart the UCMDB server.

Note The only exception is when the user is a server administrator. sysadmin and UISysadmin will always go first on the UCMDB user repository regardless of its priority. This is designed to avoid locking the user out of the system in case say, LDAP is not properly configured and it is set with a higher priority than UCMDB.

If you have a sysadmin user in UCMDB and a sysadmin user in repository mydomain.com, the authentication mechanism will always go on the UCMDB user repository first. Except the case that you implicitly set the repository (logging in with username: sysadmin@mydomain.com).

Related Topics

Troubleshooting Hybrid User Management - LDAP authentication