Previous Topic Next topic Print topic


MLDAP ESM Module

The MLDAP ESM Module is the ESM Module that enables LDAP servers to be used as External Security Managers for Enterprise Server.

MLDAP (Micro Focus LDAP) is an interface to multiple LDAP providers. It lets the MLDAP ESM Module communicate with a variety of LDAP directories, such as Microsoft Active Directory. The directory can be located on the same system as Enterprise Server, which is often the case for development workstations. (Windows development systems can use AD/LDS (formerly ADAM), Microsoft's version of Active Directory for applications, for example.) Or the directory can be remote, which is more common in production environments.

Within the LDAP directory, you define users, user groups, resource classes, and resources, and these objects contain the attributes used to make security checks (for the Verify, Auth, and XAuth procedures). Micro Focus defines a schema for these objects and their attributes, but in many cases you can adapt an existing directory for at least part of this information, for example in order to reuse an existing repository of user information.

When the MLDAP ESM Module is invoked by ESF Manager to process a security request, it searches the configured LDAP repository for relevant rules and applies whatever it finds. Like other ESM Modules, it can return a definite result if it finds an applicable rule, or an indefinite result otherwise. (See the discussion of Security Function Return Codes.) Since multiple ESM Modules can be configured, this allows configurations such as user and resource information in separate directories, or the resolution of some requests using LDAP and others using some other ESM.

Version 2 of the MLDAP ESM Module , released with Enterprise Server 2.3 and some hotfixes for 2.2 Update 2, includes a new algorithm for matching resource access control rules with security checks. This new algorithm is used by default. It provides better performance and more intuitive behavior in a number of common cases, and enables new features such as Username Substitution. Because some existing customers with complex, ambiguous security rules might see changes in behavior with the new algorithm, the method used in version 1 of the MLDAP ESM Module is still available and can be selected using a configuration option. See Compatibility Rule Matching for more information.

Previous Topic Next topic Print topic