LDAP authentication model

Description of the LDAP authentication processing model.

You enable LDAP authentication at both the database set level and the individual user level. This approach allows HCL Compass to support a mixed authentication environment. A database set that you configure for LDAP authentication can support users marked for HCL Compass authentication and users marked for LDAP authentication. When you configure the HCL Compass database set for LDAP authentication, you specify whether HCL Compass attempts HCL Compass authentication first. If that attempt fails, HCL Compass tries LDAP authentication and after tries the HCL Compass authentication.

Authentication sequence when LDAP is authenticated first.
For a database set that you configure for LDAP, HCL Compass performs user authentication in the following sequence:
  1. A user enters a user name and password and selects a database in the HCL Compass Login window.
  2. HCL Compass searches the user database for a user profile record whose Login name field value matches the user name that the user entered in the Login window. If HCL Compass finds a match and the user profile record is marked for HCL Compass authentication, HCL Compass performs traditional HCL Compass authentication. Proceed to Step 6.

    If HCL Compass finds a match and the user profile record is marked for LDAP authentication, or if HCL Compass does not find a match, HCL Compass attempts to authenticate the user against LDAP. Proceed to Step 3.

  3. HCL Compass searches the LDAP directory for a user record. HCL Compass uses the user name from the Login window plus search criteria that you specify when you configure the database set for LDAP authentication. If HCL Compass finds a matching user record, it authenticates the user by having the LDAP server compare the password that the user entered in the Login window with the password in the LDAP user record. If the LDAP authentication succeeds, HCL Compass proceeds to correlate the LDAP user record with a HCL Compass user profile record.
  4. HCL Compass retrieves attributes from the user record that it finds in the LDAP directory.
  5. HCL Compass searches the database set for a user record that corresponds to the LDAP directory user record. When you configure the database set for LDAP authentication, you specify a HCL Compass record field and an LDAP user record attribute to be used for mapping. HCL Compass searches for a record whose mapping field contains the same value as the mapping attribute in the LDAP user record. If HCL Compass finds a match, proceed to Step 6.
  6. HCL Compass checks to see if the user is authorized to access the database and what privileges and groups are assigned to the user.