[Go] Use LDAP ous to restrict access

Source: Internet
Author: User
Tags ldap uicontrol

Restricting access using LDAP ous

Http://www-01.ibm.com/support/knowledgecenter/api/content/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.crn_ Arch.10.2.2.doc/c_restrict_access_using_ldap_organizational_units.html#restrict_access_using_ldap_ Organizational_units?locale=zh

you can grant ibm®cognos®connection access to a specific organizational unit (OU) in the LDAP directory or to a descendant of a specific OU. Typically, an OU represents a part of an organization.

For this method to take effect, you must correctly set the basic distinguished name and user lookup properties under the security, authentication category in IBM Cognos Configuration. By using different values for these properties, you can grant access to different OUs in the LDAP directory structure.

Please consider the following directory tree:

Figure 1 Organizational unit tree of virtual companies divided into eastern and western

If only users in the "East" OU need access to IBM Cognos Connection, you can specify values as listed in the following table.

Table 1. The basic distinguished name and user lookup value of the Eastern organizational unit
Properties value
Basic Distinguished Name Ou=east,ou=people,dc=abc,dc=com
User Lookup Uid=${userid}

If users in the east and West OUs require access, you can specify values as listed in the following table.

Table 2. Basic distinguished name and user lookup values for East and West organizational units
Properties value
Basic Distinguished Name Ou=people,dc=abc,dc=com
User Lookup (Uid=${userid})

The parentheses () in the user lookup attribute are used as filters that can be searched for all OUs located under the specified base DN. In the first example, the "east" OU is searched for only the user account. In the second example, the "East" and "west" OUs are searched.

However, in the two examples above, the group's access to IBM Cognos Connection is excluded because they are located in different branches of the directory tree than the user. To include groups and users, the "base DN" must be in the root directory of the directory tree. The values are then listed in the following table.

Table 3. Basic distinguished names and user lookup values for groups and users on the directory root directory
Properties value
Basic Distinguished Name Dc=abc,dc=com
User Lookup (Uid=${userid})

Therefore, all users in the directory have access to the IBM Cognos Connection.

The last example shows that using OUs is not always the most efficient way to secure access for IBM Cognos Connection. You can use this method if you want to grant access to all users in a specific OU. If you only want to grant access to specific users, you may want to consider creating the specified IBM Cognos BI group or role on the directory server and grant access to IBM Cognos Connection for this group or role.

[Go] Use LDAP ous to restrict access

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.