Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
- Universal CMDB Login Authentication
- Setting Up an Authentication Method
- Enabling Login to Universal CMDB with LW-SSO
- Enabling Login to Universal CMDB with SAML
- Setting a Secure Connection with the SSL (Secure Sockets Layer) Protocol
- Using the JMX Console to Test LDAP Connections
- How to Enable HTTP Communication for Universal CMDB
- Hybrid User Management with Multiple User Repositories
- How to Define LDAP Servers and Enable LDAP Authentication Method
- LDAP Authentication Settings - Example
- Example: How to Configure LDAP for Sun ONE Directory Server in UCMDB Server
- Example: How to Configure Dynamic LDAP Groups
- Retrieving Current LW-SSO Configuration in Distributed Environment
- User Lockout Mechanism
Hybrid User Management with Multiple User Repositories
When you have LDAP server(s) configured, you can also authenticate with UCMDB users. This allows you to perform hybrid user management with multiple user repositories.
Important Make sure you have the UCMDB server connection to LDAP server(s) up and running when the upgrade is running.
Tip If the UCMDB can not connect to the LDAP server during the upgrade, all the users will have UCMDB as user repository. By default UCMDB has the highest priority, so the LDAP users will not be able to authenticate if they do not specify the repository (like email address or Windows domain name).
In case the upgrader fails to fill the proper user repository, you can delete the users with external flag. Those users will be recreated anyway during authentication. The side effect is that those users will lose their preferences and assigned role mappings.
You can delete the users either via the UCMDB UI or by executing the following SQL statement on the database:
DELETE from URM_RESOURCES where TYPE like 'Auth_USER' AND TEXT_DATA like '%isExternal="true"%'
Note For information about how to configure LDAP authentication settings, see How to Define LDAP Servers and Enable LDAP Authentication Method.
On UCMDB UI, when an user is created, it will always be from the UCMDB repository.
When you configure an LDAP server, hybrid user management is enabled.
How the hybrid user management authentication mechanism works
Starting with 10.32, you can specify the user repository as the domain part of an email address or a Windows domain user.
Here is how the enhanced hybrid user management authentication mechanism works in different scenarios:
-
No repository is specified: It selects the user from the repository with the highest priority that contains a user with that name.
So if you have two user repositories UCMDB (the highest priority) and mydomain.com, and you have a user test in both repositories, then when you try to log in with the username test, the authentication mechanism will always choose UCMDB (highest priority).
If you have user test2 only in mydomain.com, and you try to log in, it will choose mydomain.com because UCMDB does not have this user.
If you have user test3 in both user repositories, but you changed the priority of mydomain.com to the highest, then the authentication mechanism will always choose mydomain.com during the authentication process.
Note To change the priority of a repository, see How to change the priority of a repository using JMX.
-
The repository is specified as an email address or Windows domain user:
-
Valid user repository: If the email/domain user are valid, it extracts the user and repository from them.
- The repository is a configured user repository: In this case it means a valid user ID (username + repository) exists. The authentication mechanism will use the user ID extracted for all the calls. User repository matching is case insensitive. The full domain does not have to be specified, only an ending part of it (see in example).
-
The repository is not a configured user repository: In this case the username is used as the full email/domain address.
-
Invalid user repository: The UCMDB UI validates the input using the ESAPI.
-
Example:
The following user repositories are configured:
- UCMDB - priority 1
- sub1.mydomain.com - priority 2
- sub2.mydomain.com - priority 3
We have the following users:
- UCMDB: user1, user2
- sub1.mydomain.com: user1
- sub2.mydomain.com: user2, user3@gmail.com
Here is how the hybrid user management authentication mechanism maps the users to repositories:
- user → repository (case from above)
- user1 → UCMDB (1)
- user1@UcMdb → UCMDB (2.a.i)
- ucmdb\user1 → UCMDB (2.a.i)
- user1@sub1.mydomain.com → sub1.mydomain.com (2.a.i)
- user1@mydomain.com → sub1.mydomain.com (2.a.i)
- mydomain.com\user2 → sub1.mydomain.com (2.a.i) *** (even if the user does not exist on this host, the highest priority user repository ending with mydomain.com is selected)
- user3@gmail.com → sub2.mydomain.com (2.a.ii)
- user@sf4^$5 → no repository (ESAPI error)
LW-SSO, CAC, URL authentication, and WSDL authentication
All these mechanisms work as the UI login:
- LW-SSO: The cookie can specify user repository in the username: ucmdB\ldap3u1
- CAC: The certificate can contain in the field that specified the name: ldap3u1@mydomain.com
-
URL authentication: The username can specify the repository like the following:
https://<username>.<domain>:8443/ucmdb-ui/cms/directAppletLogin.action?&userName=sub1.mydomain.com\ldap2u1&password=hXSMV66FyPjNFVAC8wH2sA==
-
WSDL authentication: You can also authenticate on WSDL using hybrid user management. To do this, the user’s ID must be composed of name, followed by ### and repository (in the format of <username>###<repository>). For example, admin###UCMDB.
When you authenticate on UCMDBManagementService, the user’s ID must be sysadmin, and no repository should be specified.
How to change the priority of a user repository using JMX
In hybrid user management you have multiple user repositories, each user repository has a priority value. When a user repository has the highest priority value, the authentication mechanism will always select that user repository first. You can invoke the JMX method getUserRepositories to check the priority values for your existing user repositories.
Therefore, when performing hybrid user management with multiple user repositories, you may want to change the priority of an existing user repository to make sure the authentication mechanism will select that repository first.
To do so,
-
On the UCMDB server, launch the Web browser and enter the following address: https://localhost:
You may have to log in with a user name (default: sysadmin) and password.
-
Locate UCMDB:service=LDAP Services and click the link to jump to the Operations table.
-
Locate the getUserRepositories operation, and click Invoke to get the priority values for the existing user repositories.
-
Go back to the UCMDB:service=LDAP Services Operations table, and locate the changeUCMDBUserRepositoryPriority operation.
- In the Value field for the user repository of your choice, specify a value between 1 and 10 (1 highest, 10 lowest).
-
Click Invoke.
-
Restart the UCMDB server.
Note The only exception is when the user is a server administrator. sysadmin and UISysadmin will always go first on the UCMDB user repository regardless of its priority. This is designed to avoid locking the user out of the system in case say, LDAP is not properly configured and it is set with a higher priority than UCMDB.
If you have a sysadmin user in UCMDB and a sysadmin user in repository mydomain.com, the authentication mechanism will always go on the UCMDB user repository first. Except the case that you implicitly set the repository (logging in with username: sysadmin@mydomain.com).
Related Topics
Troubleshooting Hybrid User Management - LDAP authentication
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to cms-doc@microfocus.com.
Help Topic ID:
Product:
Topic Title:
Feedback: