Discussions
Categories
Choose a Product
THRUST SERVICES
CORE APPS
CE PRODUCTS
...
Quick Links
POPULAR
HELPFUL TIPS
Groups
My Links
FOR SIGNED IN MEMBERS:
Back to website
Home
TeamSite
TeamSite, LiveSite and OpenDeploy
TeamSite- LDAP Authentication + Authorization W2K3
System
Oakland County Michigan
Question: How do we migrate from using local and domain users to using LDAP teamsite users.
Current Environment:
-Teamsite v6.1
-Current OS: Windows 2000 Adv Server,
-The current server is a member of our OAKNTDM domain, and domain users are dropped into local windows groups on the server. There are also a hand full of local users dropped into local groups.
-Individuals can Authenticate against the DOMAIN or SERVER depending on what kind of user they are.
-File permissions on Workareas are done when setting up a workarea through the TeamSite GUI, in the “groups for sharing” field, a local group is used (i.e. iw_grp_drain)
-Directory permissions within the workarea are set through windows permissions. ( right click on a directory from the Y: drive, select security tab, add local group that needs permission to that directory, cascade permissions to all child objects. See diagram below for screen shots on how permissions are set. Note: within a single branch there are 50+ directories with different permissions. In the templatedata folder there are 7 template types X 50 directories all with their respective permissions.
New Environment:
-New server we are migrating to: Server 2003 Std
We are wanting to now use a Sun LDAP to authenticate and authorize users.
Documentation in the admin guide gives instructions about configuring the IW.CFG file to use LDAP to authenticate the teamsite users.
I am assuming we can edit the UID files to include “ldap\username” of each user as opposed to “domain\username” as we do now
The problem we have is how to Authorize the users to have access to certain workareas or directories.
As mentioned before, we drop domain or local users into local groups.
1) Ideally, If we could drop the LDAP users into the windows local groups, all of our problems would be solved with a simple iwidmap. I don’t think that is possible in windows.
2) Another way would be to create groups within the LDAP mimicking the existing local groups. I may be able to somehow use iwidmap to remap to these new LDAP groups. How in the future would I set/add file permissions on a new or existing directory. This is done through windows ACL…. How would we map the new LDAP groups to new directories?
3) This server is in a DMZ so it is not part of a domain. I could lobby to have it to be part of a domain and possibly use Active Directory to assist in our plight. The LDAP we will be using is used only for Netegrity but I would assume it would be fairly easy to have our Corporate Active Directory point to an additional datasource.
In our current environment we set folder and file permissions within a workarea so that only members of a certain group can edit or save within a particular folder. In the example below, this is the windows permissions for the index.html file within the DRAIN folder. Only people who are a member of iw_grp_drain can read/write to items within this folder. If we wanted to give the PARKS dept access to this folder, we would click the add button below, add the local group for parks, and cascade the permissions to all child objects.
<see image 1>
Likewise, in the same workarea there is a copy of the HEALTH folder. Health has their own workarea as well. But as you can see, permissions to write to the health folder are done in the same way through local windows groups.
Sorry to be long winded but it seems the common theme is for people not to post enough info like what OS, what TS version etc.
Thanks
Chris
Find more posts tagged with
Comments
There are no comments yet
