Using etldap

[telula]

Hello,
Has anyone successfully used the etldap?
Is there any tips or tricks that is not in the TM1 Security Guide?
I have entered the search DN in many possible combinations but nothing seems to work.

[David Usherwood]

We looked at it when it first came out, had a long support session, and concluded it was useless, probably because of extremely poor documentation which made lots of assumptions about your LDAP structure. However I have read other postings which say it has worked for the poster.

Since then we have implemented Integrated Login by adding the UniqueID element in }ClientProperties (must be done with TI) then using windows scripting to get the user details and a TI to merge them in. More hand crafted than I would really like - but it works (unlike ETLDAP).

[jstrygner]

David,

From what I understand you use a TI process with 'ExecuteCommand' function to get the info about users that can login to TM1 and their UniqueID to enable for them Integrated Login.

1. Could you, please, put here an example of such a file that will update users and their UniqueIDs in TM1?
2. Did you have to build any additional structures (outside TM1) to make it work, or you refer directly to ActiveDirectory?
3. Is it possible, that you set up TM1 groups in AD and you also import this information to TM1? E.g. in AD you have groups like TM1Planners, TM1Europe, TM1Administrators and on a basis of it you create/update groups in TM1 and assign users to these groups? Assigning rights to groups is a separate thing which I do not need, but assigning users to groups seems to be crucial.
4. Although you define users (and groups?) in AD, can you create additional users and groups in TM1 that do not exist in AD, but will work in TM1 (new users would need to get UniqueID manualy or login by giving a password)?

Kind regards.

[David Usherwood]

David,

From what I understand you use a TI process with 'ExecuteCommand' function to get the info about users that can login to TM1 and their UniqueID to enable for them Integrated Login.

1. Could you, please, put here an example of such a file that will update users and their UniqueIDs in TM1?
Sorry - we built it for clients - can't really publish it. Look around the 'DS' commands which allow you to talk to AD.
2. Did you have to build any additional structures (outside TM1) to make it work, or you refer directly to ActiveDirectory?
No - just AD.
3. Is it possible, that you set up TM1 groups in AD and you also import this information to TM1? E.g. in AD you have groups like TM1Planners, TM1Europe, TM1Administrators and on a basis of it you create/update groups in TM1 and assign users to these groups? Assigning rights to groups is a separate thing which I do not need, but assigning users to groups seems to be crucial.
I _really_ wouldn't go this route as it would seriously complicate what you need to do. You could probably query AD for a list of groups but then you'd have to iterate through them to get what you want.Google may help here.
4. Although you define users (and groups?) in AD, can you create additional users and groups in TM1 that do not exist in AD, but will work in TM1 (new users would need to get UniqueID manualy or login by giving a password)?
As we built it, the users in TM1 are _replaced_ by those in AD. If you have integrated login on, the 'other' users won't be able to connect, since AD won't know who they are. You can make both available (SecurityMode 2, I recall) but I really can't see the point.

Kind regards.

[jstrygner]

Thanks a lot for a fast and full reply.
I will try to work it out together with Google.
Kind regards.