TM1 Forum

Hi all,

This is my 1st time using ETLDAP to bring in User IDs into TM1 to enable integrated login. I'm using 9.5.1 in this case.

Here are some questions after attempting to set it up, which I hope you can shed some light:

Qn1 : Can IntegratedSecurityMode be set to 2 i.e. Mixed Mode instead of using 3? Users are to provide their ID and password which will be authenticated by LDAP (their email system). However, there could be cases where some users do not have email accounts in LDAP and need to login using generic TM1 ID. Is this possible?

Qn2: The users in this instance are all from the same Division. However, the two Admin ID holders are from IT Division. Hence, the IT admin's email accounts are under another node in the LDAP tree. From the ops guide, it seems that the tm1s.cfg parameter can only be set to point to one node to lookup the ID and password during authentication. Please correct if my understanding is incorrect.

If this is true, while I can use ETLDAP to pull IDs from two different nodes on two separate occasions and import into TM1, but how can the IT admin's ID be authenticated subsequently?

Qn3: The LDAP is not using SSL. I was given an ID which was used successfully to call up the full list of user accounts in that Division, as well as the attributes. However, when I tried to bring up the Mapping GUI by clicking on "Mapping" in the menu, nothing comes up. I found a workaround in IBM site that entails saving the profile, then manually edit the file with the mapping parameters. Has anyone encounter this issue and is this the right way to resolve it?

Look forward to your advce!

Harry

Harry

Yes you can have mixed mode.

If all you want to do is to enable Windows Authentication then using ETLDAP is a very cumbersome way to do it. It is a little late in the day for me to give you the details now, but if you search the forum you will find a post I did on how to do it.

The basics are to set a property for each user to tie them to their domain name usually something like psimon@mydomain then just enable integrated login via the tick box in explorer options and its there. Its a bit more complex if you are using TM1 Web but that is still the same whether you use ETLDAP or not.

If your TM1 Names match the User Names, you can even do this with a rule.

I think the cube is }ClientSettings or }ClientProperties. I can't remember which right now.

Regards

Paul

Hi paul,

thanks for the reply! Yes, I have actually read all posts related to ETLAP on this forum.

What you had mentioned is for single-sign on or straight through. What I need now is not straight through; user still has to provide their LDAP ID (either email address or UID in LDAP) and password which will then be sent to LDAP for authentication.

I did realise that, instead of using ETLDAP to import those 100 IDs under a department node in LDAP, which only 50 IDs are TM1 users, I could have skipped the ETLDAP part and simply create the same 50 IDs directly in TM1 manually. In this case, I do not have to then remove the other 50 LDAP IDs that should not have access to TM1.

However, I will still need to set up the SSL part and the right tm1s.cfg parameters so that TM1 knows the LDAP host, filter and node to look up the corresponding LDAP ID during login. This is the part that I'm stumped.

I have enabled LDAPAUTH logging and from the tm1server.log, I saw the following error:
LDAP ERROR: 0x51 - ldap_connect failed

There is no other error line before that. I suspect that it is due to the LDAP admin did not provide any SSL cert. Hence, I was unable to do anything concerning SSL handshake etc. I was only provided with an email address which supposedly has read access to LDAP, and the relevant node and filters to work with.

While using ETLDAP, I tested the connection using the said email address and password, but only if SSL is not enabled.

By the way, the test TM1 instance service is running under a local account. I read that Tm1 service must be running under the same account that has access to LDAP. Is this correct?

Harry