Page 1 of 1
IntegratedSecurityMode = 2 Switching Between TM1 and LDAP authentication
Posted: Mon May 02, 2016 6:32 pm
by kj4
I'm interested in knowing if there is a way to create a test / admin user when the login method for TM1 is LDAP authentication. It would be nice to have a test user when testing the security of other profile user groups.
When I originally read the following from the tm1s.cfg file:
# If IntegratedSecurityMode is set to 2. The clients will have the choice
# to connect provide a database username and password or use the single-login
# mechanism for authentication.
I assumed the client would have the choice to "switch" between LDAP and TM1 depending on the userID. Is it possible to switch other than changing PasswordSource=LDAP or PasswordSource=TM1 (which requires restarting TM1 services)? If not, is there another way to create a test user when IntegratedSecurityMode is set to 2?
Thanks!
Re: IntegratedSecurityMode = 2 Switching Between TM1 and LDAP authentication
Posted: Tue May 03, 2016 7:49 am
by TrevorGoss
I assumed the client would have the choice to "switch" between LDAP and TM1 depending on the userID. Is it possible to switch other than changing PasswordSource=LDAP or PasswordSource=TM1 (which requires restarting TM1 services)? If not, is there another way to create a test user when IntegratedSecurityMode is set to 2?
All the cfg parameters you have mentioned are static parameters, so a restarting of the service would nee to occur for the parameters to update. I do not think you can create a test user that has an individual IntegratedSecutiyMode, as that setting is in the cfg file.
Can you set up a new TM1 server, and create your testing scenario in that?
Re: IntegratedSecurityMode = 2 Switching Between TM1 and LDAP authentication
Posted: Tue May 03, 2016 9:09 am
by David Usherwood
FYI, in 10.3 (aka Planning Analytics - cloud only at present), IntegratedSecurityMode is now dynamic -
http://www-01.ibm.com/support/docview.w ... wg27047055
Re: IntegratedSecurityMode = 2 Switching Between TM1 and LDAP authentication
Posted: Tue May 03, 2016 9:10 am
by lotsaram
"Mixed mode" between TM1 authentication and windows integrated login does NOT mean that the server supports a mix of users some of which exclusively use integrated authentication and some of which exclusively use native. RATHER is means that for a given user ("user" = element in }Clients dimension) it is possible to log in with either native TM1 security or integrated login provided that the client being used ("client" = user interface) has been built to support this switch in authentication method. The UniqueID property in the }ClientProperties cube determines whether the integrated login will succeed.
- windowsintegratedsecurity.jpg (11.22 KiB) Viewed 4554 times
I am pretty sure that this is covered in the Operations Manual.
Re: IntegratedSecurityMode = 2 Switching Between TM1 and LDAP authentication
Posted: Tue May 03, 2016 11:51 am
by kj4
Thanks everyone for the responses. It appears that my interpretation of how IntegratedSecurityMode 2 works was misguided.