9 Replies Latest reply on Mar 23, 2017 5:22 PM by Nikolay Karetnikov

    LDAP authentication & Blueprint Administrator

    Nikolay Karetnikov Navigator

      Hello!

      We have a very special client (quite a big bank) who likes to ask all sorts of exceptional questions.

      Here is one of them.

      They have the following systems installed:

      IBM Security Identity Manager (ISIM)

      IBM Security Access Manager for e-business (ISAM)

      The aim of the customer is to use them both to integrate with a proposed PrintManagement software (Blueprint in our case):

      The question goes: is there a way to integrate Blueprint with either ISIM or ISAM?

      One of a possible scenarios that they envision.

      ISIM is used as an alternative LDAP catalog against which a Blueprint Administrator account should be authenticated.

      Any comments are very welcomed!

        • Re: LDAP authentication & Blueprint Administrator
          tcampbell@pharos.com Navigator

          Hello Nikolay,

           

          Thank you for your question.  I do not have any personal experience with the IBM solutions that your client has inquired about, but I will offer a couple thoughts.  Let's first break the client's question about Blueprint integration into two different parts: user authentication at a terminal or iMFP and access into the Blueprint Administrator. 

           

          Assuming ISIM is an LDAP alternative, as you have stated, it is conceivable that an authentication script may be written to access the IBM solution for user authentication at terminals and iMFPs.

           

          The Blueprint Administrator, on the other hand, does not utilize external user authorities.  Users gain access into Blueprint Administrator by either entering "local" credentials, i.e. a user name and password that is local to Blueprint's database, or by having logged on to a server or workstation using a domain username that matches a domain user who has been granted access into the Blueprint Administrator.

           

          As an example, lets assume that domain user mycompany\johndoe has been added to the Blueprint Administrator as a user who has a reporting-only access account.  When that user logs on to his workstation and launches an instance of the remote Blueprint Administrator application, he will be allowed to enter the application and see only reports because the workstation's logged on user account matches an known account.  If mycompany\janesmith where to log on to that same workstation, access to the Blueprint Administrator would not be allowed because the logged on user has not been granted an access account.

           

          In summary, the Blueprint Administrator application does not validate user credentials against a user authority.  It trusts that the logged on user has already been validated against a user authority to gain access to the workstation or server that is hosting the Blueprint Administrator application.  When launching the Blueprint Administrator, it will look to see if the logged on user has been granted an access account.  If so, the user will gain access to the application; if not, the user will be prompted to enter "local" credentials.

           

          This long explanation of how Blueprint Administrator operates was offered so that you may answer the question about controlling access with ISIM or ISAM.  If those "LDAP alternatives" are also controlling logon access to workstations and servers, access into Blueprint Administrator would be governed as well.  If ISIM and ISAM are not the solution that controls access to workstations, i.e. they logon against a standard Windows Active Directory or LDAP server, then it would not be possible for ISIM or ISAM to govern access to the Blueprint Administrator.

           

          Best regards,

          Tim.

            • Re: LDAP authentication & Blueprint Administrator
              Nikolay Karetnikov Navigator

              Hello Tim!

              Thank you for the answer!

              You wrote:

              In summary, the Blueprint Administrator application does not validate user credentials against a user authority.  It trusts that the logged on user has already been validated against a user authority to gain access to the workstation or server that is hosting the Blueprint Administrator application.  When launching the Blueprint Administrator, it will look to see if the logged on user has been granted an access account.  If so, the user will gain access to the application; if not, the user will be prompted to enter "local" credentials.

              I imagine a user logged on into a workstation with a username username@3rdpartyLDAPdomain.com of a non Active Directory LDAP catalog.

              Would the Blueprint Administrator allow such a user to log in?

                • Re: LDAP authentication & Blueprint Administrator
                  Scott Olswold Guide

                  Nikolay,

                   

                  The interface within Blueprint Administrator to define "network user" access asks for two elements:

                  • Domain
                  • User name

                  and stores them in the format Domain\User much like "legacy" Active Directory/NTLM did/does. It has no concept of a UPN. As such, it would probably not allow for that type of "automatic" login unless there was legacy support for 3rdPartyLDAPDomain\Username within the directory service.

                   

                  -Scott

                    • Re: LDAP authentication & Blueprint Administrator
                      Nikolay Karetnikov Navigator

                      Understood, thanks!

                      What would it take if the customer decided to add such an option?

                        • Re: LDAP authentication & Blueprint Administrator
                          Scott Olswold Guide

                          Nikolay,

                          A lot. Currently, since Blueprint Administrator isn't a "directory aware" application, it would mean we build in the plumbing to support it. And while some of that plumbing is there (the Group Finder for Policy Print, for example), it is hard-wired to only support Active Directory. An estimate of the time it would take to add directory services support for Blueprint Administrator access (the coding, the UI, the testing) would be required by the Blueprint Product Manager, and then that estimate would need to be fit into the current development backlog/schedule.

                          -Scott

                            • Re: LDAP authentication & Blueprint Administrator
                              Nikolay Karetnikov Navigator

                              I see.

                              Scott, I've kind of asked this already via Edward, but here is an update and more questions on that.

                               

                              1. Is this true that an account, once added to a Blueprint Administrator, as a "Report Viewer" or "Administrator", gets shared for all of the BPAdmin instances?

                              2. If 1 is true, is it possible to add an AD Group to the authentication list of the BPAdmin? Manually or by some kind of a remote tool (stored procedure) or a sync instrument (like a LDAP sync tool with importconfig files). Would a member of such a group be authorized in the Blueprint Administrator? If not, what will it take to implement such a feature? It should definitely be faster than any 3rd party LDAP way.

                               

                              And could you please confirm. I believe LDAP sync tool is not Active Directory specific. It works for any LDAP catalog, right?