LDAP - Question on creating new users via _LDAPDEFLT HELP!!??

Hi,

We're planning on implementing LDAP to manage password authentication in JDE. (But not the Roles)

I am confused as the documentation implies that if a new AD user signs onto JDE with a valid AD password and they *do not* have a JDE account defined then the account will be auto created via copying the _LDAPDEFLT profile.

Assuming this _LDAPDEFLT profile is configured with a valid F98OWSEC record and a default Role (per document advise) will this mean that the user can sign in to JDE straight away!!!???

I am trying to avoid the situation were a new AD user somehow signs onto JDE without us first ensuring they have the correct roles for that individual as trhe default role will nto be approiate for that individual!

We dont plan to move the role management into LDAP.

Any comments/advice would be great on how to use LDAP without allowing people to "sneak in" to JDE as they inherit the _LDAPDEFLT profile properties!


JDE E900, TR 9.1.2.1,
WAS 7.0.0.19
ISeries DB2 Database

Unfortunately, not having the roles in AD will be a problem for you. The user will get a goofy error when they try to login.

Unless there has been an enhancement, the login doesn't explain that you don't have roles, it just gives a useless JAS error. You have to have at least one role.

Consider setting up a new PUBLIC role with no permissions but maybe submitted jobs, etc.

I am doing exactly that a site where we have LDAP implemented. Assigned a temp role to _LDAPDEFLT , which has access to the environment , but nothing else. We do have a closed door model security , so once they login they can only execute what *PUBLIC has access to , which is Submitted jobs etc.

Once they log in , the record gets created in F0092 and F98OWSEC , F95921, F0093 etc. We then remove the temp role and assign the actual roles requested.

We do have an OU that is mapped in the LDAP settings , so not all users who are part of the AD can login to JDE. So once a user's ID request has been approved , their ID is moved to the OU and then we ask them to login , which will create the ID in the JDE system and then we assign / change the roles .

Very round about but I haven't found another way of doing it.

Hmm so this LDAP isn't exactly a smooth integration.

1/ I will assign a basic role to the _LDAPDEFAULT role with the WSJ, Password reset application. That should avoid any issues.


2/ I have LDAP authentication working against IAM and can sign I with my AD password however when I try sign in with a AD user that doesn't exist in JDE I get invalid login I.e it doesn't create the f0092 f98owsec f95921 record etc. Should this defo work? Am I missing something?

3/ if the user requests a AD password reset and its marked as required change on next sign on by windows team will the JDE login request be able to detect and handle this?? Worried that our AD reset policy causes an issue with JDE....

4/ when a user is disabled in AD do they get auto disable in JDE?
Thanks

Please have a look at our SSO solution:
http://www.everestsoftint.com/products_sso.php

Another solution is to create a new group in your LDAP for all JDEdwards users and synchronise accounts with the batch R9200040. If you do that, you can assign roles to your users before the first connection and only users with the JDE group in your AD can connect to JDE.

We use LDAP set up with roles managed in JDE and not AD. When a new user logs on they get a user id disabled message. The new user is created with the defaults, but the user id is disabled, so they can't actually log in.

I agree that LDAP integration is far from "smooth", but it does work - if you can put up with the "bumps" or "rocks" (some seem like boulders!).

The LDAP (so-called) integration is an all or nothing process - all user id's are authenticated using LDAP, or none. It would have been good to be able to define where a user id is authenticated at a lower level, so that certain user id's that JDE uses to run are not authenicated using LDAP.