Do I need to enable LDAP authentication for my Cache instance ot use LDAP auntentication in a single CPS application?

Question

Question

Evgenii Ermolaev · Mar 25, 2021

#Authentication #Access control #CSP #LDAP #Caché

Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification:
Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?
We (as in me and my organization) use Cache Authentication for our instances, and one of the reasons to use LDAP for this system was to avoid mixing employees of our organization and our users.

Product version: Caché 2018.1

Discussion (5)0

Log in or sign up to continue

Katherine Reid · Mar 25, 2021

Yes, you must enable an authentication type system-wide before you can use it in an application. An authentication type must be enabled both system-wide and in the individual application or service the login is using to be used.

You can turn LDAP off in all other applications if you only want it in the one application. The one which is using LDAP authentication will need to look at the shared system-wide settings about domains, servers, attributes, etc, to know what to do with users logging in.

If the users and employees are part of different domains, you might want to look into the multiple domain support. You may be able to use the multiple domain support to let both sets of logins work separately.

0 0

score 0 · Answer 1 · 2021-03-25T19:07:15-04:00

I don't think using multiple domains sovles the problem here though. Employees are not using LDAP, but Cache authentication. If I were to enable LDAP, it's going to lead to cascading authentication, and LDAP has higher priority, so, according to documentation, Cache will try to authenticate via LDAP first, fail, log the error and then attemp the next option, which will be Cache Authentication.

score 0 · Answer 2 · 2021-03-25T19:45:11-04:00

Is your concern that the audit log will have extra events that aren't really failures? If the login eventually succeeds, the authentication methods which didn't work should not cause loginfailure audit events. Otherwise, there would be loginfailure events confusing the audit log on any system with more than one type of authentication enabled.

If the login fails, all types of authentication which were tried will be logged.

score 0 · Answer 3 · 2021-03-25T20:05:24-04:00

My concern here is how adding LDAP authentication will affect our daily routine, since we have no intention of moving employee authentication to LDAP.
If I could explicitly set authentication method for various parts of our instance (management portal, monitor, apps, etc.) it would not be a problem, but apparently cascading authentication is the only option, hence I am worried.

score 0 · Answer 4 · 2021-03-26T04:12:57-04:00

If I could explicitly set authentication method for various parts of our instance

Apparently you can do it for each part of your instance represented as a web application. Just look in System Management Portal (SMP): System > Security Management > Web Applications: all the /csp/sys/* stuff is nothing else but SMP's function groups starting pages.