Creating an LDAPBind Login Scheme (Multiple Domains)

Use this procedure if your system has multiple Windows domains and your users are set up on one or another of those domains. This setup is a variation on setting up and LDAPBind login scheme for multiple containers.

  1. Set up the LDAP tree to group your domains. The LDAP tree must have a structure similar to the following. That is, all domains (and their users) are underneath an "ou=domains" node.
  2. In the Infor Rich Client, access the Security System Management application and then Login Scheme. On the Login Scheme List, select Actions > Create LDAP Bind Login Scheme and then edit the fields described below.

    - or -

    At a Landmark command prompt, type

    secadm loginscheme add SSOPV2_LDAP_BIND --schemetype WebUPLogin --loginprocedure LDAPBind --provider ldap_provider --rdn ldap_rdn --namingattr ldap_namingattr --multiplecontainers yes --searchfilter ldapSearchFilter --searchstructclass ldapSearchStruct --searchbinddn ldapSearchBinddn --searchbindpassword ldapSearchBindPassword --referral ldapReferralHandling --derefalias ldapDerefAlias

    where

    Option LRC Field Names Description
    login-scheme-name Login Scheme Specify the login scheme name.
    --description description Description Optional. Add a description of the login scheme name.
    --schemetype scheme-type Scheme Type Specify WebUPLogin.
    --loginprocedure login-procedure Login Procedure Specify LDAPBIND in order to authenticate web access based on LDAP entries stored in a customer-specified location instead of in the Lawson default location.
    --provider ldap_provider Provider

    The LDAP server host name and LDAP port formatted as a URL. For example,

    ldap://hostname:portnumber

    --rdn ldap_rdn RDN

    The Relative Distinguished Name (rdn) container for all users in the LDAP directory.

    For the multiple domain scenario, this is the following:

    ou=%DOMAIN%,ou=domains,o=rootnode

    where rootnode is the top node of your LDAP.

    For example, ou=%DOMAIN%,ou=domains,o=lawson
    --namingattr ldap_namingattr Naming Attr The naming attribute for users in the LDAP user container, for instance, cn or uid.
    --multiplecontainers Multiple Container Whether the users are in a single container or multiple containers. To set up a login scheme for multiple domains, use yes.
    --searchfilter Search Filter The filter used to search the LDAP structure, for example, (&(<NAMING_ATTR>=<NAMING_ATTR_VALUE>)(objectclass=<STRUCTURAL_OBJCLASS_VALUE>))
    --searchstructclass Search Struct Class The LDAP structure to search for to locate users. This can be anything that objectclass can be in an LDAP entry.
    --searchbinddn Search Priv Identity The distinguished name of a user with search privileges on the LDAP tree.
    --searchbindpassword Search Priv Password The password of the user with search privileges on the LDAP tree.
    --referral Referral Property How the search should handle referrals. Valid values are ignore, follow, and throw. The latter throws a ReferralException for each referral. Also, if the LDAP service provider receives a referral despite --referral being set to "ignore", it will throw a PartialResultException to indicate that more results might be forthcoming if the referral is followed.
    --derefalias Deref Alias Property

    How the search should handle aliases. Valid values are:

    • always, which means always dereference aliases.

    • never, which means never dereference aliases

    • finding, which means dereference aliases only during name resolution.

    • searching, which means dereference aliases only after name resolution.
  3. Assign the login scheme to the primary SSO service. At a Landmark command prompt, type

    secadm service update SSOPV2 --loginscheme SSOPV2_LDAP_BIND