LDAP Server Advanced Domain Settings
Users can log into the Identity Manager and Gateway Administrator using
just a user ID (for example joe
) or using a domain name and user ID
(acme\joe
). By default, when a user logs in using just a user ID,
Reflection Gateway searches all available LDAP servers for a matching
user and authenticates the first matching user it finds; it does not
search additional LDAP servers if that fails. When no domain name is
included, a UserID for a different domain could match and allow login if
the passwords for both accounts are the same.
You can use Advanced domain settings on the New/Edit LDAP Server page to customize how Reflection Gateway manages user authentication to your LDAP server(s). The examples below show how login is handled for some possible configurations.
Note
Advanced domain settings apply to password authentication only; X.509 certificate authentication always requires user mapping that specifies both a domain and username.
These examples use acme
as a sample Active Directory domain. For these
examples, this acme
is a domain that requires a valid authentication
domain name. It can accept both acme
and acme.com
as the
authentication domain name.
Example 1
Domain Name = anyName
; Domain Mapping = anyAlias
; Remove User Domain= No, Default Authentication Domain = none.
-
Login as
validUser
: Authentication fails because there is no authentication domain name, and this is required by the acme domain. -
Login as
anyName\validUser or anyAlias\validUser
: Authentication fails becauseanyName
andanyAlias
are not valid authentication domain names. -
Login as
acme\validUser
oracme.com\validUser
: Authentication succeeds becauseacme
andacme.com
are valid authentication domain names.
Example 2
Domain Name = anyName
; Domain Mapping = anyAlias
; Remove User Domain= No, Default Authentication Domain = none.
-
Login as
validUser
: Authentication succeeds because Reflection Gateway adds the value specified for Default Authentication Domain (acme
) before authenticating. -
Login as
anyName\validUser or anyAlias\validUser
: Authentication fails becauseanyName
andanyAlias
are not valid authentication domain names. -
Login as
acme\validUser
oracme.com\validUser
: Authentication succeeds becauseacme
andacme.com
are valid authentication domain names.
Example 3
Domain Name = anyName
; Domain Mapping = anyAlias
; Remove User Domain= Yes, Default Authentication Domain = none.
The following results are based on the sample acme domain, which requires a valid domain name for authentication:
-
Login as
validUser
: Authentication fails because there is no authentication domain name, and this is required by the acme domain. -
Login as
anyName\validUser
: Authentication fails. Althoughacme
is the valid authentication domain name, it is removed before Reflection Gateway attempts authentication. -
Login as
acme\validUser
oracme.com\validUser
: Authentication fails because authentication is attempted with no authentication domain name.
If your Active Directory domain does not require an authentication
domain, the login attempts above will succeed because each of them
presents a valid user ID to the domain. In this case, using
anyAlias\validUser
improves performance because the Domain Mapping
directs Reflection Gateway to authentication to this specific LDAP
server. Although anyAlias
is not the actual domain authentication
name, authentication succeeds because the domain name is removed before
Reflection Gateway attempts authentication.
Example 4
This example shows a configuration for handling a merger that brings
users from the summit
domain in to the acme
domain. It enables
summit
users to log in without modifying their familiar credentials.
Domain Name = anyName
; Domain Mapping = anyAlias
; Remove User Domain= No, Default Authentication Domain = none.
-
Login as
validUser
: Authentication succeeds because Reflection Gateway uses the value specified for Default Authentication Domain (acme
). -
Login as
acme\validUser or summit\validUser
: Authentication succeeds because the entered domain,acme
orsummit
, is removed and defaultacme
is used. -
Login as
anything\validUser:
Authentication succeeds. A domain is provided by the user for which no mappings exist. In this case Reflection Gateway tries all configured LDAP servers and applies the directory-specific domain rules for each one. Authentication to theacme
domain will succeed because the entered domain anything is removed and replaced byacme
.