Re: AzMan AD Authentication Store Woes....

Jer2224 · ‎02-08-2013

Does anyone have any more information about how to create or even use the AzMan authentication store in an Active Directory context? The only way I've managed to get vCAC installed is to use a single VM option for my PoC installation, putting all the roles on the same server and using a file-based authentication store. Whenever I tried to import the security.xml file, all kinds of errors resulted (frankly too many to post here - all spurious involving line exceptions in the import) - it simply didn't work as detailed in the Installation Guide pdf.

Also, I found fundemental things missing from the installation guide - either assumed or presumed by the writers - especially about the authentication store part and the database creation / linking part. Thinks like does the AzMan need to be done on a member server or a DC? What credentials are needed for the msldap string (if any)? If no credentials are supplied, how can the AzMan import be authorised as someone able to make schema changes? Do the new objects in AD need to be containers (CN) or organisational units (OU)? Do these need to be pre-created before running the tool? If so, what permissions do they need?

In this case, Google hasn't been my friend, and provides only circumstantial support for the issues / questions described above.

Does anyone have a proven work-through of this part of the process? I'm happy to write it up into a blog post to assemble bits of information if any are forthcoming - anything to help me get a multi-VM vCAC installation deployed.

Many thanks. :smileylaugh:

JKougoulos · ‎02-11-2013

Hi,

why don't you use the SQL backend for the AzMan store?

It is really easy to deploy and at least it has worked for me perfectly in mulit-VM vCAC deployments.

Regards,

John

Jer2224 · ‎02-12-2013

Hi John,

Thanks for the reply.

To be honest, I initally discounted SQL as an authentication store for my purposes, on the basis that we need to have the ability to have 40-odd users using the system for requests and approvals, and all of these are stored in our AD. Is it possible to use a SQL store authentication then populate it with AD credentials (or groups)? Kind of a dogleg approach to AD authentication?

Cheers.

Jeremy.

JKougoulos · ‎02-12-2013

Hi Jeremy,

as far as I know the backend store for Azman is used just to store the data used by azman.

You will not have to populate anything directly there, everything will be done through vCAC console, where you specify AD users or AD security groups.

All these users will be authenticated through AD when they access the vCAC console, vCAC uses Azman as an authorization provider in order to permit or deny certain user actions. Azman just needs a place to store the data, the functionality will be the same in all cases.

So, when you choose SQL store for Azman, it does not mean "users in an SQL table", but "authorization metadata in SQL"

Hope it helps.

Regards,

John