Due to new corporate policy changes, instruction was received by Security telling this EMC/Documentum Customer to change all Unix-owned installed applications to LDAP-authenticated from local host authentication.
Has anyone ever done this or is running a Documentum system which is owned a user account which authenticates by LDAP? I detailed it here and looking for some feedback on the lines of “we have done this and the outcome was successful/unsuccessful”.
The part of changing the repository installation owner user account is not necessarily the main issue (though the nature of LDAP is that uniqueness of usernames must be provided which means jiggery pokery with all but one of the many separate installs across the domain) – its performance around LDAP which is the unknown.
Not to cause confusion: Documentum users are LDAP-authenticated anyhow – not the issue. Security tells us we must modify the GxP existing Documentum systems to LDAP on our Red Hat servers – this being something I’ve not seen it done before and not aware by dm_buddies have either.
It is implicit from Documentum documentation that domain authentication is supported but Windows does it differently from Unix and the docs don’t distinguish.
Performance I think is the big question – how many hits does the unix dm_check_password have in a day? Hard to measure and case by case but we do know the exercise with an SAP application was rolled back due to the massive number of hits against the LDAP servers saturating them.
My own proposal is untested and follows with three theoretical environments (Prod – dmadminp, Stage dmadmins and Dev, dmadmind):
1. make dmadmin (install owner) an inline user. Saves mucking about with object ownership and getting involved in the docbase.
2. re-own the binaries in each environment with the newly created LDAP user – e.g. dmadminp, dmadmins, dmadmind
3. create a relevant super user in the docbase called dmadminp, dmadmins or whatever?
But anyway, anyone have any comments they can post me about this?
Thanks in advance.