Neoview User Management and Security Administration Guide (R2.5)

ManualsBrandsHP ManualsSoftwareHP Neoview Release 2.5 Software

If all users log on with the same syntax, and if user and domain names across the enterprise are

stored in the same format in userPrincipalName, the configuration description file for the default

configuration can look like this:

directorybase dc=bellwether,dc=com

useridentifier userPrincipalName

useridentifierformat domain\user

useridentifiermapping user@domain.*

No separate configuration file is needed for any other directory server. (That is, in NCI, you can

use the same file as input for the global catalog and for each of the domain controllers, while in

HPDM, you need not specify values in the Parameters area for any of the domain controllers.)

When Scott James logs on:

1. The LDAP daemon contacts the global catalog, which is the NeoviewDirectoryServer with

the highest usage priority, to search for “Scott James,” followed by an @ sign, “USA,” a

period, and possibly additional characters, as the value of userPrincipalName.

2. The reply from the NeoviewDirectoryServer includes Scott's complete DN.

3. The LDAP daemon binds to the directory server with domain name USA, providing Scott's

DN and the password Scott entered in his logon request. This server must have been explicitly

configured in HPDM or NCI.

4. The LDAP server either authenticates Scott's credentials or replies with an authentication

failure.

More Active Directory Examples: Support for Various Login Formats

The following examples show the configuration parameters used to support various formats of

a user's login string. All these examples presume a multiple domain setup consisting of a global

catalog (NeoviewDirectoryServer) and two domains, DomainA and DomainB. Each domain has

a user named John Smith who has the DN

cn=John Smith,ou=users,dc=zorin,dc=com

and whose identifying information is stored in the following directory attributes:

• In DomainA

John Smith (displayName)

SmithJ (sAMAccountName)

SmithJ@domainA.zorin.com (userPrincipalName)

• In DomainB

John Smith (displayName)

SmithJ (sAMAccountName)

SmithJ@domainB.zorin.com (userPrincipalName)

Example 1: Login format domain\displayName, names unique within the domain

In this example, names are unique within the domain. Each user named John Smith logs in with

a string that includes not only his display name but also the domain in which his account is

defined. A backslash (\) separates the domain name from the user's own name, as in

DomainA\John Smith

To support this scenario, the directory entries for DomainA and DomainB have two common

parameters, one to indicate the part of the user's DN that uniquely identifies the user, and the

other to indicate the format of the login string:

UniqueIdentifier cn,ou=users

UserIdentifierFormat domain\user

As in the previous example, each domain entry has a unique value for the parameter

DirectoryBase:

DirectoryBase DomainA.zorin.com

DirectoryBase DomainB.zorin.com

76 LDAP Server Configuration on Neoview