1 2 Previous Next 20 Replies Latest reply on Feb 21, 2019 10:10 PM by Deepak S

    LDAP Authentication best method

    Deepak S
      Share:|

      Hi All,

       

      I want to know the best way of user authentication with AD/LDAP in BMC Remedy. I have already integrated the data sync between the LDAP and Remedy CTM_People.

      However I need a method to authenticate users with LDAP credentials into Remedy and any changes to passwords should immediately affect.

       

      Thanks in advance.

       

      Regards,

      Deepak

        • 1. Re: LDAP Authentication best method
          Marie Johnson

          Deepak

           

          what version are you using?

          Typically, I recommend SAML through RSSO not LDAP For authentication However both can be centralized through RSSO.

           

          LDAP is lightweight for a reason! While it is easy for apps to use and requires no trusts, keys or other mechaniziums to validate usage this also crease a threat to companies LDAP is easy to spoof directory services!  LDAP decentralized control and tends to make security get a bit on edge with you. 

           

          LDAP through RSSO LDAP authentication process - Documentation for BMC Remedy Single Sign-On 9.1 - BMC Documentation

           

          YouTube:  https://m.youtube.com/watch?v=ClbpS_acLuQ

          4 of 4 people found this helpful
          • 2. Re: LDAP Authentication best method
            Deepak S

            My version is 9.1.04.

            Actaully I am looking for a scenario where in a user can login with 2 different User names into Remedy. Any ideas on how it can be done. I tried the Authentication Alias Name, but it has a different purpose at all.

            • 3. Re: LDAP Authentication best method
              Brian Morris

              You could also just direct them to the login.jsp page directly, where they can login with the alternate name.  Should be available in this format:

               

              https://serverfqdn/arsys/shared/login.jsp

               

              You could also look at something like JSS SSO if you're not using RSSO for some reason.  Java System Solutions: Specialists in Single Sign On for BMC, HP and others.

              • 4. Re: LDAP Authentication best method
                Siva Sankara Prasad Kaza

                If you are planning to use or using RSSO then there is an option in the configuration to Enable AR System Authentication bypass: Enabling AR System authentication for bypass - Documentation for BMC Remedy Single Sign-On 9.1 - BMC Documentation

                 

                Once you enable this option there is a link format available which will take you to RSSO login page. You can then login using any account that's available in Remedy and the authentication will be just performed against Remedy.

                • 5. Re: LDAP Authentication best method
                  Adam Lawson

                  Can you please clarify if you intend to use Remedy Single Sign On?  If you're going to use RSSO then it changes this a little bit, if not this can be a simple configuration change.

                  • 6. Re: LDAP Authentication best method
                    Deepak S

                    Thanks Brian for response. I guess my requirement I did not make it clear earlier. Let me rephrase it.

                    I have LDAP Integration in place. We have Login Name=emailId in User form which works fine with LDAP aauthentication. Now my requirement is that users have their AD User name in LDAP like xyzabc format. Now without creating another User form record I should be allowed to login to Remedy either by emailID or the AD user name but should point to same user record with same permissions. So is this doable with SSO/JSSO ??

                    • 7. Re: LDAP Authentication best method
                      Deepak S

                      Thanks Siva. when you say "You can then login using any account that's available in Remedy and the authentication will be just performed against Remedy." Here I have one user record that can be used for login to Remedy with 2 different Login Names. Please see my above comment for more. Is that possible ?

                      • 8. Re: LDAP Authentication best method
                        Deepak S

                        Thanks Adam for response. I did not get you completely. As of now I am trying to avoid the SSO, so any ideas apart from SSO. If nothing works out my last option will be RSSO implementation. I did saw documentation on some User ID transformation (User ID transformation - Documentation for BMC Remedy Single Sign-On 9.1 - BMC Documentation )But still my question is will I be able to login Remedy with 2 different User Names and same LDAP password and will point to same user record for all permissions/privileges???

                        • 9. Re: LDAP Authentication best method
                          Adam Lawson

                          Based on what you've provided, try "Username=cn"...  I think this will work for you.

                          1 of 1 people found this helpful
                          • 10. Re: LDAP Authentication best method
                            Adam Lawson

                            I just realized I didn't finish my thought, you can use the above, BUT the CMT:People record will have to either be modified or recreated.

                            Modified:

                            And you will not be able to modify the record from ARSystem, you would have to do it with a SQL query.  (Which I'd highly recommend a SQL DB Backup before you try to make those changes).  Additionally, I'd like to note that any preexisting data that relates back to a user (like a ticket) might not have the right user selected and/or a user selected at all.  Additionally, any inflight tickets will be completely messed up.

                            Recreated:

                            This would be the cleanest way from a "not impacting other components" point of view.  Your old accounts can be mass set to "offline" and then your new accounts will just be new accounts.  You might have to do some license cleanup, but it shouldn't be too difficult just time consuming.

                             

                            In SHORT there is no magic wand to fix the data, it will require either manipulation or recreations - or some variation in the middle.

                            • 11. Re: LDAP Authentication best method
                              Deepak S

                              Thanks Adam. I had already thought about the mass People record update preferably creating new records and then eliminating the old ones. Thats my plan B which I will used SPOON or DMT to process records. However I want to avoid this and work on existing ones, that too without modifying the Login Name/Login ID.

                               

                              Thanks,

                              Deepak

                              • 12. Re: LDAP Authentication best method
                                Adam Lawson

                                That will be virtually impossible without completely rebuilding how the login mechanism works.  And when you start to go into that level of customizations, BMC will not support those changes.

                                 

                                Additionally, I'd advise that you do not delete the old records, but instead you mark them as offline.  This way you don't have to worry about relationships being broken.

                                • 13. Re: LDAP Authentication best method
                                  Marie Johnson

                                  Deepak

                                   

                                  so if you want to give 2 accounts to ONE person, this is pretty normal in some manufacturing companies I consult at Specifically because they want employee and admin accounts to be separate ids.  This is a compliance and security safega where the admin ID has no internet, or corporate access except for what they need to administrate and the employee account has the internet and corporate access but no server admin privileges.   you can go about this MANY ways. 

                                   

                                  The best practice method is for the AD admin to crease a user account and an admin account where the admin account is restricted to what is necessary (many times doesn’t even get domain user). With this, the user logs into remedy with their standard name when they are doing regular remedy work or their admin name I’d they are doing admin work.  The nice thing with this is they can have two browsers up and each logged in differently.  This provides the corporation with complete control of access and allows you to synchronize the accounts.

                                   

                                  alternatively you could set up an AD account as a user then a local account as an admin.  As above you would still want to limit the admin account to admin tasks only and the user ID to user tasks; The admin for example wouldn’t belong to support groups whereas the user would.  Both of these can be setup in RSSO, where AD is first and Local Remedy is second. 

                                   

                                  In either case, let’s say Mary Manager has a:

                                  user ID of mmanager

                                  support group is Payroll

                                  permission are Incident User, Work Order Manager, etc...

                                  license is Floating

                                  and an administrator ID of mmanager.adm

                                  support groups NONE

                                  permissions Administrator

                                  License is Fixed

                                   

                                  In the first example if Mary logged in with mmanager.adm: RSSO would use AD as the provider to authenticate her.

                                  In the second example if Mary logged in with mmanager.adm: RSSO would look at the first provider AD, find no match and then look at the second provider Remedy and then authenticate her.

                                   

                                  to my knowledge (in current versions of RSSO) there is no limit as to how many providers you setup as long as your timeout doesn’t get exceeded.

                                   

                                  so I still say this is very easy to accomplish.  However what is YOUR example of how you will use the multiple IDs for one person?

                                  • 14. Re: LDAP Authentication best method
                                    Marie Johnson

                                    Actually that’s not the case bmc has made it very easy as there is a data wizard that can be used to find the IDs and change them throughout the system.  Changing a user's login ID using the Data Wizard Console - Documentation for Remedy IT Service Management Suite 9.1 - BM…

                                     

                                    This is has been available since remedy 8.0 but has been further enhanced as GDPR came about and companies needed to mask or create pseudonyms for real names when asked.

                                    1 2 Previous Next