LDAP Authentication

MSidat · Post by **MSidat** » Mon Nov 21, 2011 5:19 pm

Hi,

Wondered if anyone out there could share some insight about the LDAP setup.

We are looking at implementing the full blown LDAP Authentication Security on all of our TM1 Models. I have got this working, without using the ETLDAP tool, which seems to be a bit of an overkill when a businesses OU's do not necessary match up with the TM1 user base.

However I have got some strange behaviour and wondered whether this was yet another TM1 quirk or if I had overlooked anything.

I have got an existing Production Model, started it up on a UAT box and changed the config file to use LDAP. Server comes up fine, I log in with my windows username and password and it works fine, my fellow developers do the log in as well and its fine. However one user tries to log in and it says password has expired and fails to authenticate the user.

On investigation it turns out it is the password stored in TM1 (which was used prior to using LDAP) which had expired and obviously not the Windows one so it seems although it authenticates using the LDAP (Active Directory in our case) it does a secondary check against some TM1 data as well. It has to check the Client exists in the Client Dim, but why the check against the password timestamp and Expiration Days in the ClientProperties cube, when it is not even using the password stored in that cube to log in and when all password resets will be done at Operating System level.

The obvious work around would be to set a rule up that always marks the expiration days as "No Expiration".

Granted this would never happen if you were starting from scratch or using ETLDAP as it imports clients in from afresh i.e. creates new clients as such no password is ever set in TM1.

Is this a quirk, or have I missed a step in my configuration?