Can different LDAP trees be used for authentication and authorization?

(Last modified: 16Dec2003)

This document (10089549) is provided subject to the disclaimer at the end of this document.

fact

iChain 2.2

goal

Can different LDAP trees be used for authentication and authorization?

fix

Yes.  But there are caveats.  iChain uses the full DN of the authentication tree for ACLCHECK and OLAC.  What does this mean?
1)  If you are going to use SECURE access rules, the full DN of the user must be the same in both trees.  You can, however, use RESTRICTED resources with no problem as RESTRICTED resources only validate that the user is authenticated.
2)  If you plan to use OLAC for single sign on then you must modify the sys:\iChain\oac.properties file to point to the authentication tree in the [LDAP Processor] section and the authorization tree in the [OAC] section.

Example of default oac.properties file:
[OAC]
Worker Count = 32
Refresh Time = 180

[LDAP Processor]
Class Name = com.novell.ichain.oac.ldap.ParamListBuilder

[CONSTANT Processor]
Class Name = com.novell.ichain.oac.constant.ParamListBuilder

Modified file to use IP address x.x.x.x for authorization/OLAC and IP address y.y.y.y for authentication:
[OAC]
Provider URL =x.x.x.x       (IP address of the authorization/OLAC server)
Security Principal = cn=admin,o=novell        (LDAP dn for BIND user)
Security Credentials = xxxxxx         (password for BIND user)
Ldap Referral = true
ISO Object Name = cn=iso,o=novell   (DN for ISO object)
Worker Count = 32
Refresh Time = 180

[LDAP Processor]
Provider URL =y.y.y.y        (IP address of the authentication  server)
Security Principal = cn=admin,o=novell       (LDAP dn for BIND user)
Security Credentials = xxxxxx         (password for BIND user)
Class Name = com.novell.ichain.oac.ldap.ParamListBuilder

[CONSTANT Processor]
Class Name = com.novell.ichain.oac.constant.ParamListBuilder

document

Document Title:	Can different LDAP trees be used for authentication and authorization?
Document ID:	10089549
Solution ID:	NOVL94422
Creation Date:	11Dec2003
Modified Date:	16Dec2003
Novell Product Class:	Connectivity Products

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.