/build/static/layout/Breadcrumb_cap_w.png

K1000 user authentication order

When you set up multiple criteria which could apply to a user when they log into the K1000, how is it determined which takes precedence? For example, our admins are given the admin role based on a group membership, but as I'm toying with setting up the software library I'd like to add a catch-all which will just give a domain user the User role (unless they have something more specific defined). I imagine there's some precedence rule when you set these up, so how is that determined?


0 Comments   [ + ] Show comments

Answers (1)

Answer Summary:
Posted by: jknox 11 years ago
Red Belt
2

Roles are set up with LDAP authentication or manual application in the user section. 

Most that I see use separate LDAP imports, one for admins and one for users.  Admins in that case are usually defined by a LDAP label.


Comments:
  • We're not doing imports as such, but rather we have LDAP criteria set up in the user authentication section. What I want to know is, if a user fits two or more of those criteria, and is thus eligible for more than one role, how does the system choose which role to assign?

    Specifically, I'm looking to put an LDAP rule in place that gives the User role to all domain users, without overriding the already-existing rule that gives the Admin role to domain users who are in the appropriate domain group. - cdrzewiecki 11 years ago
  • Sorry, I was using import when I meant LDAP authentication. Basically, you would set up 2 LDAP authentication servers in the K1000 (can be the same physical server, will expand on that below). The first would be your admin users, the second would be regular users. The K1000 evaluates them in order, top down.

    If the user trying to log in has admin rights, it will authenticate there. If not, the user will authenticate at the second LDAP server configured in the K1000.

    You can use the same LDAP server multiple times if you use the hostname, IP address and fully qualified domain name in separate instances of a LDAP server in the K1000. - jknox 11 years ago
  • Ah, that makes sense and is what I was looking for. So I just have to make sure that the top-to-bottom ordering is what I want. Thanks! - cdrzewiecki 11 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ