Environment
Situation
This technical note provides instructions for assigning an LDAP attribute to the user name value that ID Manager recognizes when authenticating users for web-based sessions.
When ID Manager requests an ID, the default value provided by the emulation client is the user's OS-login name - the name a user enters when logging in to their OS. You can change the default to map the user name to an LDAP attribute.
Resolution
Conditions
The ability to use an LDAP attribute as the user name attribute requires the following conditions:
- The sessions must be Web-based sessions created on a Reflection Management server.
- The Reflection Management server has been configured with Access Control Setup to use either LDAP for authentication or authorization.
- ID Manager is configured.
- Cannot be used in conjunction with Reflection's Personalization feature.
Changing the User Name Attribute
To configure the Reflection Management Server to use an LDAP attribute as the default ID Manager user name, follow these steps.
- Stop the Servlet runner (Tomcat, for example) on the machine with Reflection Management Server (where the Administrative WebStation and the emulation files are located).
- Locate the ReflectionData folder. For example, when Reflection for the Web is installed on a current Windows machine, the folder is located here:
C:\ProgramData\Attachmate\ReflectionServer\ReflectionData\
- Open PropertyDS.xml, and locate the AC.AParamsPrefADS property. If necessary, change it back to the default value of false to match the following:
<CORE_PROPERTY NAME="AC.AParamsPrefADS"><STRING>false</STRING></CORE_PROPERTY>- In PropertyDS.xml, locate the AC.DirAParamsList property, as shown in this example:
<CORE_PROPERTY NAME="AC.DirAParamsList"><STRING/></CORE_PROPERTY>- Update the AC.DirAParamsList property so it contains the value as shown:
<CORE_PROPERTY NAME="AC.DirAParamsList"><STRING>attributeName:idmLdapUserName</STRING></CORE_PROPERTY>where
- attributeName is the variable LDAP attribute. This value may be replaced with any valid attribute of the target Directory Service.
- idmLdapUserName is a fixed (required) entry. This entry identifies the LDAP attribute value to be used by ID Manager.
For example, if the target LDAP service is Microsoft Active Directory, one could use the displayName attribute as follows:
<STRING>displayName:idmLdapUserName</STRING>- Start the Servlet runner (Tomcat, for example) on the machine with the Reflection Management server.
The emulation client now supplies the LDAP-derived user name to ID Manager.
Note: ID definitions created in the ID Manager database that are selected by the User-name attribute must contain an LDAP username attribute value that matches the username value sent from the emulation client.
Reverting the User Name Attribute
If you choose, you can revert the user name attribute from the LDAP-derived name to the OS login ID on an individual emulation session created by that Reflection Management server.
- Modify the session in the Session Manager, define an applet parameter on the emulation session called, idmUseOSLoginUserName, and set its value to true.
This applet parameter will override the use of the idmLdapUserName applet parameter for the given emulation session, and the ID Manager will use the OS login ID of the user as its User-name.
- To be sure the IDs in the ID Manager
database being selected by users of those emulation sessions match the
value of each user's OS login ID, you can do a quick test:
- Launch a session and click Connection > Connection Setup.
- Select Use ID Manager, and click Configure.
- Check User name, and click the Test selected attributes button.
- In the Test Attributes dialog, note the User name entry. Click Get ID.
The test confirms that ID Manager can provide an ID matching the configured attribute and value selections.