Discussions
Categories
Groups
Community Home
Categories
INTERNAL ENABLEMENT
POPULAR
THRUST SERVICES & TOOLS
CLOUD EDITIONS
Quick Links
MY LINKS
HELPFUL TIPS
Back to website
Home
Web CMS (TeamSite)
Urgent - LDAP and TS
abhishek_gupta
Hi,
I need to configure TS 5.5.2 on Solaris 8 to authenticate via LDAP. Even though I have done the appropriate changes in the iw.cfg to point to LDAP, it expects users to be present on the OS too. The customer will not create OS users.
The solution someone told is that you have to change the OS to point to LDAP rather than pointing to /etc/passwd file. If this migration is done in the OS, then TS would only need users on the LDAP.
But again, the customer does not want to change OS configurations as the SUN box has other applications on it too. He is strict against either creating users on OS, or changing OS configurations.
So we are no where now. Is there any other way that this can be achieved. Ya, and we would also be integrating TS with SiteMinder. But still TS would need OS level users.
Please do give in your suggestions. Any help would be valuable and highly appreciated.
Thanks in advance.
Abhishek
Find more posts tagged with
Comments
Adam Stoller
Maybe someone else knows differently - but I think your customer has to make a decision to do one or the other (change the OS's authentication scheme, or create OS-level accounts [they don't need real access - use /bin/false for shell]) .. Perhaps you can arrange either a conference call or an on-site visit with someone from Interwoven (support, sales engineer, ???)
--fish
(Interwoven Senior Technical Consultant)
abhishek_gupta
Thanks for the prompt reply.
They are strictly against both the options. Says it would have a security issue.
What they can do is maximum create around 4-5 generic users on the OS. Then they want us to map these users to the actual users and allow TS to authenticate. Is this an option?
And I didnt get what you told about OS accounts - [they don't need real access - use /bin/false for shell]) . Is it some kind of a dummy user, or do still all the users have to be there on the OS. If the users are there on the OS, the security concerns are that anyone can hack into the system.
We are under the opinion of taking help from IWOV PS, but that may take some time. So if you suggest something it would be great.
Thanks,
Abhi
Adam Stoller
The /bin/false thing is a basic way to create an account on a Unix system that cannot actually login to the system (from the console or from telnet) because their login shell is set to the program /bin/false rather than something like /bin/sh, /bin/ksh, /bin/csh, etc.
They don't even need a home directory on the machine - you can probably set their home directories to something like /dev/null
What they *do* need is an account with a UID and a password (through /etc/shadow, or NIS/YP or perhaps even LDAP such that they can be authenticated on that machine when logging into an application such as TeamSite.
I'm *not* a security specialist - so I cannot really help you that much here - it just sounds to me like they want to eat their cake and have it too - and that's a hard thing to accomplish.
--fish
(Interwoven Senior Technical Consultant)
laj1
I don't have anything to add to this discussion, but I'm sure interested in how it works out.
Please let us all know.
Thanks.
Len.
Len Jaffe
My Heart Is A Flower
Update your DevNet profile - let us know who you are!
tvaughan
You
should
be able to ask your customer to configure the Solaris box to use "files, ldap" which means that the OS first looks in /etc/passwd for users, then in the configured LDAP service for users.
Within your ldap.conf file, you can create a special section just for TeamSite authentication, which allows you to disable all other means of authentication through LDAP (e.g., you can shut off Telnet, FTP, etc. access from LDAP) and just restrict that Sun box to authenticate via the "teamsite" section.
You'll have to get your sysadmins really involved in this discussion if you have no other way . . . .
Hope that helps,
Tom
archie23
Hi,
I am also looking for information on LDAP-TS integration. My scenario is very similar, and on top of this there are dynamic groups in LDAP. Does TS support Dynamic groups? And did u find a way of authenticating users without changing the OS configuration.
Thanks in advance for all help extended!
