V 3. LDAP Authentication

One of the most common user experience issues with IT systems is that the end users have to remember several different user different user ids and passwords, one for each system they have access to. These applications tend to have different password controls and expiration durations that lead to further user frustration as they never seem to keep up with the passwords for all their applications. LDAP stands for Lightweight Directory Access Protocol. It provides a way for enterprise applications to utilize a single repository for storing authentication information for all supported applications. This allows the end users to login into all LDAP configured applications with the same password which is set up once in the LDAP directory and verified against by the applications at the login time. This also allows the security administrators to configure and maintain single set of password configurations that are enforced evenly across all applications.

PeopleSoft, a major enterprise application, provides a way to utilize the LDAP directory for user authentication. In addition to authentication, the LDAP directory can also be used to setup an initial default user profile, or setup directory rules for dynamic role assignment. PeopleSoft can use any directory server for LDAP Authentication as long as the directory server is LDAP V3 compliant. When the user attempts to login, PeopleSoft goes through the regular authentication verification process. However, when the user id and password validation against PSOPRDEFN fails, the system checks to see if LDAP authentication is enabled and invokes the business interlink to validate the provided user id and password against the LDAP directory.

6.3

Figure V‑3 System Security – PeopleSoft authentication process with LDAP

A.     Configure Directory

Navigation: PeopleTools >> Security >> Directory >> Configure Directory

1. Directory Setup:

6.4

Figure V‑4 System Security – LDAP – Directory Setup

Directory ID: Any unique ID to identify the directory server configuration.

Description: Descriptive information for the directory configuration.

Directory Product: Select the directory server type being used. If the directory type being used is not available in the list, select ‘Other LDAP Directory’. The directory must be LDAP V3 compliant.

Default Connect DN: The User ID that PeopleSoft will use to connect to the directory server.

Password: Password the user id entered in the Default Connect DN.

LDAP Server: Host DNS name or IP address of the LDAP server.

Port/SSL Port: Ports which the LDAP server is configured for directory search requests.

2. Additional Connect DNs:

Use the Additional Connect DNs tab to configure additional User IDs that can be used to connect and search the LDAP directory. The additional DNs are useful when the default connect DN account becomes unavailable due to lock out or password change that has not yet been updated in PeopleSoft.

3. Schema Management:

Schema Management tab allows you to add PeopleSoft delivered directory object classes to the directory server. For this feature to be available, you should install the PeopleSoft Directory Interface product. This step is not necessary for typical LDAP configuration.

4. Test Connectivity:

When you go to the ‘Test Connectivity’ tab, PeopleSoft attempts to connect to the specified Directory server with the Connect DN(s) provided and shows a SUCCESS or FAIL result. For the LDAP configuration to work properly, the connectivity tests have to be successful. Update the directory setup if the test results show FAIL and re-test the connectivity.

B.     Cache Directory Schema:

Navigation: PeopleTools >> Security >> Directory >> Cache Directory Schema

Before the LDAP configuration can be completed, PeopleSoft needs to be aware of all the directory attributes available in the LDAP directory server. The Cache Directory schema process reads the directory schema information and caches the information in PeopleSoft which enables the administrators to select the object classes for creating the authentication maps and other configurations.

6.5

Figure V‑5 System Security – LDAP – Cache Directory Schema

C.      Authentication Map:

Navigation: PeopleTools >> Security >> Directory >> Authentication Map

Authentication map defines the directory containers and the directory attribute that should be searched for to compare with the user id entered by the user at the time of login.

6.6

Figure V‑6 System Security – LDAP – Authentication Map

Map Name: Authentication map name

Status: Select whether the authentication map is active or inactive.

Directory ID: Select the directory configuration that should be used for this authentication map.

Anonymous Bind: Select if all the search attributes for the user profile are publicly searchable without needing to login to the directory server.

Use Socket Layer: Select to search the directory over SSL port only.

Connect DN: Enter the directory user ID that PeopleSoft will use for login to the directory.

Search Base: The directory tree folder that should be searched for user information.

Search Scope: The depth of tree folders under Search Base that PeopleSoft should search.

                Sub: All levels under the Search Base

                One: One level down only

                Root: DO NOT USE

Search Attribute: The directory attribute that matches the user id entered by the user at login.

Search filter: Displays the directory search that will be done using the search attribute.

List of servers/LDAP server: Select the DNS Name or IP address of directory server.

** If you intend to maintain the user profiles manually in PeopleSoft and use directory server for authentication only, skip to “Enable Sign-on PeopleCode for LDAP Authentication”. The next two steps are for managing user profiles and roles using directory server.

D.     User Profile Map:

Navigation: PeopleTools >> Security >> Directory >> User Profile Map

Every user accessing PeopleSoft application is required to have a valid row in PSOPRDEFN table which stores the user profile information. When a new user attempts to login into the PeopleSoft application using valid LDAP directory credentials validated by the authentication map, the system checks to see if there is a valid row for this user in PSOPRDEFN table and binds the user session with the OPRID in PSOPRDEFN table. If no existing user profile is found in PSOPRDEFN table for the user id, the system can create a default user profile using the User Profile Map, if configured. If the User Profile map is not configured, the authentication fails and user has to wait for the PeopleSoft security administrator to create his/her user profile in PeopleSoft before accessing the application. User Profile Map serves a mapping between the directory server attributes and field names in PSOPRDEFN table. Not all field names in PSOPRDEFN need to directly map with an attribute in directory server but can be set to a default standard value for every user profile or may be left blank, where permitted by table restrictions on PSOPRDEFN.

Mandatory User Properties

 6.7

Figure V‑7 System Security – LDAP – User Profile Map – Mandatory User Properties

User Profile Map: Name of the User Profile Map

Authentication Map: Authentication Map that should be used for this User Profile Map.

Directory ID: Automatically selected depending upon the Authentication Map selected.

User ID Attribute: Directory Server attribute that should match OPRID in PSOPRDEFN (recommended to be same as search attribute, although does not have to be the same).

ID Type: User ID type to be entered on User Profile à ID tab.

ID Type Attribute: Automatically displayed depending upon the ID type selected.

Use Default Role: Select if all new user profiles automatically created should be granted the same default role.

Role Name: Only available if Use Default Role is selected. Enter the default role name that should be granted to all new profiles created through LDAP authentication.

Role Attribute: Directory server attribute that holds the role name to be granted upon creation of PeopleSoft user profile.

Use Default Language Code: Select if all new user profiles automatically created should be assigned the same default language code.

Language Code: Only available if Use Default Language Code is selected. Enter the default language code that should be assigned to all new profiles created through LDAP authentication.

LangCD Attribute: Directory server attribute that holds the Language Code to be granted upon creation of PeopleSoft user profile.

Optional User Properties

 6.8

Figure V‑8 System Security – LDAP – User Profile Map – Optional User Properties

Optional User properties page is used to setup the values on the user profiles in PSOPRDEFN which are optional when creating the user profile in PeopleSoft.

User Profile Property: Select the property in PeopleSoft user profile that you want to bind with directory attribute.

Attribute Name: LDAP directory attribute that holds the value for the specific User profile property.

Use Constant Value: Select this check box if you want to specify a constant value for all default user profiles created through directory service.

Constant Value: Only available when ‘Use Constant Value’ is selected. Specify the constant value for the user profile property to be set for all default user profiles.

Always Update: Select this check box to keep the user profile information updated from the directory server every time a user logs in. If not selected, the user profile property is updated only during initial creation and has to be manually maintained within PeopleSoft.

 

E.      Role Membership Rules:

Navigation: PeopleTools >> Security >> Directory >> Role Membership Rules

Role membership rules are directory search criteria that are used by dynamic roles in PeopleSoft to determine the list of users to assign the role to. When configured as a rule for a dynamic role, PeopleSoft searches the LDAP directory for a list of users that match the criteria for the directory rule and assigns the role to all these users and automatically removes it from any users that might have previously been granted the role but no longer match the membership rule.

** Refer to Dynamic Role – Directory Rule Enabled section in this book for more information on creating directory rule enabled dynamic roles.

** Any users who may be granted a role manually will not effected by the dynamic role’s rule and will continue to have access to the role if even they do not match the role rule.

 

6.9

Figure V‑9 System Security – LDAP – Role Member Rules

Rule Name: Name of the directory rule

Description: Descriptive information for the directory rule.

User Profile Map: Select the user profile to be used for the directory rule when conducting the directory search.

Directory ID: Automatically populated from the selected User Profile Map.

Search base: Directory tree node which should be searched for users.

Search Scope: The depth of tree folders under Search Base that PeopleSoft should search.

                Sub: All levels under the Search Base

                One: One level down only

                Base: Only the search base provided

Build Filter/Attribute: The directory attribute to search against.

Build Filter/Value: The value to match the directory attribute with.

** Use the right parenthesis, left parenthesis, operation, ‘and/or’, “+”and “–“ to create the logical search filter with one or more criteria to match.

Search Filter: Use the search filter to remove any entries in the directory server that should not be included in the role rule. Eg: The screen shot above shows only those entries with the objectclass= person will be processed.

F.      Enable Sign-on PeopleCode for LDAP Authentication:

Navigation: PeopleTools >> Security >> Security Objects >> Signon PeopleCode

Signon PeopleCode page controls which functions in the sign-on PeopleCode are enabled and executed during the user sign-on process.

6.10

Figure V‑10 System Security – LDAP – Sign on PeopleCode

Invoke as user signing in: Select if you want to invoke the sign-on PeopleCode as the user attempting to sign in.

Invoke as User ID/Password: Select if you always want to invoke the sign-on PeopleCode as a specific user.

** Irrespective of which option selected, the user invoking the sign-on PeopleCode should have access to the user profile component and related web libraries.

Signon PeopleCode options:

  • FUNCLIB_PSWDCNTL: Automatically selected if password controls are enabled.
  • FUNCLIB_LDAP/WWW_AUTHENTICATION: Enable if you have web authentication enabled.
  • FUNCLIB_LDAP/TivoliSSO: Enable when Single Sign On is configured to work with the Tivoli SSO application.
  • FUNCLIB_LDAP/SSO_AUTHENTICATION: Enable if Single Sign On is configured.
  • FUNCLIB_LDAP/LDAP_PROFILESYNCH: Enable to use User Profile Map to synch user profiles from directory information.
  • FUNCLIB_LDAP/OAMSSO_AUTHENTICATION: Enable if Single Sign On is configured to work with Oracle Access Manager SSO application.
  • FUNCLIB_LDAP/LDAP_AUTHENTICATION: Enable for LDAP authentication.

** For the purposes for LDAP Authentication, the FUNCLIB_LDAP/LDAP_AUTHENTICATION option needs to be enabled with the ‘Exec Auth Fail’ option selected. LDAP Authentication always fires upon initial login failure with PSOPRDEFN directly in PeopleSoft.