LDAP And Non-LDAP Users

peterbruce

peterbruce

Legendary Poster
JDEList,

We are looking at implementing LDAP user authentication. We have specific user id's for use only with the JDE Scheduler and for use only with runube command. These users are not in the LDAP (OpenLDAP) database. We have one enterprise/application server. I have a number of questions:

1) Does the JDE Shceduler use the LDAP authentication when it is switched on? (I suspect it would)

2) Does the runube command (run on the enterprise server) use the LDAP authentication when it is switched on? (I suspect it would)

3) When logging onto the planner environment on the deployment server, does it use LDAP authentication when it is switched on? (I suspect it would not)

4) Can LDAP authentication be switched on on the enterprise server not used on the fat/admin/developer client? (I suspect not)

5) Would any answers to the above questions change with our upgrade (see below)? If so what would the answers be? (I suspect the answers would not change)

Our configuration at this point is:

Oracle JD Edwards EnterpriseOne,
E8.11sp1 TR8.97.2.1, ES Sun, Oracle DB 10.2, Websphere 6 Win2K3.

We are upgrading to:

Oracle JD Edwards EnterpriseOne,
E9.10 TR9.10 ES Sun zones, Oracle DB 11.2, Weblogic, win 7-64 and Win server 2k8
 
[ QUOTE ]
1) Does the JDE Shceduler use the LDAP authentication when it is switched on? (I suspect it would)

[/ QUOTE ]
Yes, it does.

[ QUOTE ]
Does the runube command (run on the enterprise server) use the LDAP authentication when it is switched on? (I suspect it would)

[/ QUOTE ]
Yes, it does.

[ QUOTE ]
When logging onto the planner environment on the deployment server, does it use LDAP authentication when it is switched on? (I suspect it would not)

[/ QUOTE ]
JDEPLAN does not use LDAP. For DEP900 & the others, it does use LDAP (it kind of depends on jde.ini SecurityServer). I would create an LDAP JDE and make the JDE password the same everywhere (including in planner).

[ QUOTE ]
Can LDAP authentication be switched on on the enterprise server not used on the fat/admin/developer client? (I suspect not).

[/ QUOTE ]
As long as the clients and the server point to the same set of services (same port number), its all or nothing. So you are correct in your suspicion.

[ QUOTE ]
Would any answers to the above questions change with our upgrade (see below)? If so what would the answers be? (I suspect the answers would not change)


[/ QUOTE ]
The answers will change because in question 4, if you go to the latest tools release and use a timezone(-like) subsystem, you can turn LDAP off for just that sbs. The security tables can be used in the non-LDAP subsystem like standard JDE.
 
Thanks for the information, it is really appreciated.

[ QUOTE ]
The answers will change because in question 4, if you go to the latest tools release and use a timezone(-like) subsystem, you can turn LDAP off for just that sbs. The security tables can be used in the non-LDAP subsystem like standard JDE.

[/ QUOTE ]

Please provide more information on this, or preferably, Oracle doc id(s) or other information so I can chase this up myself.
 
I actually found something on the Oracle Support site for timezone subsystems(Doc ID 1379886.1). Not exactly how helpful it will be.

At the moment we are considering creating the non-LDAP user ids in LDAP.
 
Great thread choice!

We've got multi foundation configured (DV900, PD900 port 60xx and PY900 port 60yy) and we thought we could use this configuration to turn on LDAP on one foundation but its still limited by the fact all foundations point to one set of security tables.

So it appears to me in researching that LDAP is "global" once turned on therefore the question is how the heck can you test LDAP without affecting production users?


JDE 9.0, 898.3.1,
iSeries v7 enteprise.
Websphere 6.x Solaris WebServers
Windows XP FCs
 
cdawg,

We have two separate installations of JDE. Each has its own enterprise, deployment and web servers. One installation is for production and the other is for test and development.
 
Alex,

At the moment we are only looking at LDAP. We will be looking at SSO after we upgrade to 9.1.

We have looked favourably at your SSO solution and will be including it as an option when we look at SSO.
 
Its not global. Its very easy to have it on/off for different environments. Its a little tricky but for the same environment having multiple subsystems, you most likely could run it on for one set of users and off for another set of users.

You can set up multiple F00928, F009281, and F00928 and OCM map these tables to different copies. For the LDAP subsystem users you activate LDAP in 1 copy of the tables. In the other subsystem, you OCM map it to a copy of the tables with LDAP off. The security kernel recognizes that it is off and uses the standard F98OWSEC, F0092, etc.
 
Yes that is the correct document.

The idea incorporated into 1379886.1 E1 Time Zone Support is that you can have multiple subsystems / XX900 pathcodes using the same Central Objects. Time zone support is new but I believe multiple pathcodes for 1 set of Central Objects has been around for awhile.

Since LDAP is ultimately tied to subsystem/service jde.ini settings, you have to be able to get around that limit first. The idea with this is that you would create multiple subsystems/services. By doing this you configure one set of services to have LDAP on and one set of services have LDAP off. I have done this many times for 2 different environments. I have not done it for the same environent name but I would expect it to work.
 

Similar threads

E9.2 LDAPS not working on new Domain Controller (Server 2022)
Replies
0
Views
1K
Tuna_S
E9.2 FAO those running LDAP with JDE
Replies
2
Views
2K
CWadda
tboat00
E9.2 Connecting Orchestrator to Google PubSub
Replies
1
Views
282
DaveWagoner
DaveWagoner
E9.2 Identifying User Accounts Configured Through LDAP
Replies
0
Views
2K
davefish77
seeni.nithin
E9.1 JDE Database Default Accounts Password Reset for LDAP enabled systems.
Replies
4
Views
3K
seeni.nithin
seeni.nithin
Back
Top