How enable user auto-provisioning

Hi,

from my understanding of the documentation when enabling "User auto-provisioning" in the "Domain Management" with "Auto-provision roles = QMS User" this should lead to the creation of users when i.e. e-mails are filtered and put in the quarantine to be released via digest.

There are digests now delivered to users with working release from QMS, but the QMS and the whole SMG does not show additional users besides "admin".

Did I get that concept wrong?

In case I got that idea correct, my guess would be a problem with the LDAP-Authentification in the "Domain Management". Since I have LDAP working in GroupWise I assumed I have to enter the same parameters in "DN template / DN search base" like "ou=abc,o=xyz" (which I checked and found with Softerra LDAP Browser). Since I had no idea on what to enter in "Search pattern" I left that blank.

Any hint on this would be great.

Regards

Karl

Parents
  • Verified Answer

    +1  

    Hello  ,

    by default auto provisioning will 'not work' as the 'authentication target' is not set up. 

    When a new user is loging into the SMG webinterface with credentials, the following steps are validated.

    1. Is the user-id known to SMG?

    2.If the userid is 'in the list of known users' below user management. The user-authentication method is used.

    --> For the admin user this means that the password is 'validated locally/offline'.

    If this is not the case, which it would be when we for example take a 'user-login' with a unknown e-mail, the following steps are executed by SMG.

    1. Check again if username/mail exists in user-list. If not, continue determine the 'target validation system'.

    2. Check the domain-part of the login details, if they match with a serviced domain below 'domain management'.

    3. If domain is serviced by SMG, continue to check for 'authentication-targets'.

    3.1 These auth-targets can be either SMTP or LDAP-directories.

    If the 'AUTH'-checkbox is enabled, this system is then used for validation.

    We now have two options in this case, either go the SMTP route and do a validation using LDAP in this case.

    4. The credentials are then 'used' and validated either using a SMTP AUTH LOGIN or a LDAP-Querying/Requesting using the credentials to see if the users-item exists in the directory.

    This part of the docs contain more additional info: https://www.novell.com/documentation/secure-messaging-gateway/secure-messaging-gateway/data/policy_adm_domain_manage.html#t46cjfntozby

    In short, if a user log in with his email address, the LDAP objects,  SHOULD deliver a result in the 'fields 'mail or proxyAddresses', when using the following search-pattern.

    (|(mail=%email%)(proxyAddresses=smtp:%email%))

    Once the user-acccounts are 'validated', SMG then continues to use the 'Auto provisioning details' selected.

    So in the default scenario it would 'create a QMS user' when the credentials have been successfully validated. 

    After that the user SHOULD be greeted with the 'selection dialog' what interface he wants to see.

    If the login is failing, on the appliance, checking the /var/log/apache2/error_log file can be beneficial.

    As the webserver is doing these user-validations, there might be error-messages or hints, why logins are 'failing' and deliver up more information than just a ''Authentication failed, please try again"-message.

  • 0 in reply to   

    This has been solved with support. Problem was LDAP-entries not being perfect. I had to disable "Checkbox Validate", enter the correct eDirectory-date in DN-template (which is completely different from the examples shown in the documentaion) and add the search-pattern as in your screenshot above. Now it works as expected.

    Regards

    Karl

Reply
  • 0 in reply to   

    This has been solved with support. Problem was LDAP-entries not being perfect. I had to disable "Checkbox Validate", enter the correct eDirectory-date in DN-template (which is completely different from the examples shown in the documentaion) and add the search-pattern as in your screenshot above. Now it works as expected.

    Regards

    Karl

Children
No Data