Due to new corporate policy changes, instruction was received by Security telling this EMC/Documentum Customer to change all Unix-owned installed applications to LDAP-authenticated from local host authentication.
Has anyone ever done this or is running a Documentum system which is owned a user account which authenticates by LDAP? I detailed it here and looking for some feedback on the lines of “we have done this and the outcome was successful/unsuccessful”.
The part of changing the repository installation owner user account is not necessarily the main issue (though the nature of LDAP is that uniqueness of usernames must be provided which means jiggery pokery with all but one of the many separate installs across the domain) – its performance around LDAP which is the unknown.
Not to cause confusion: Documentum users are LDAP-authenticated anyhow – not the issue. Security tells us we must modify the GxP existing Documentum systems to LDAP on our Red Hat servers – this being something I’ve not seen it done before and not aware by dm_buddies have either.
It is implicit from Documentum documentation that domain authentication is supported but Windows does it differently from Unix and the docs don’t distinguish.
Performance I think is the big question – how many hits does the unix dm_check_password have in a day? Hard to measure and case by case but we do know the exercise with an SAP application was rolled back due to the massive number of hits against the LDAP servers saturating them.
My own proposal is untested and follows with three theoretical environments (Prod – dmadminp, Stage dmadmins and Dev, dmadmind):
1. make dmadmin (install owner) an inline user. Saves mucking about with object ownership and getting involved in the docbase.
2. re-own the binaries in each environment with the newly created LDAP user – e.g. dmadminp, dmadmins, dmadmind
3. create a relevant super user in the docbase called dmadminp, dmadmins or whatever?
But anyway, anyone have any comments they can post me about this?
Thanks in advance.
Kevin
Jord said
It is not recommended by EMC, due to the fact that if the LDAP Server is down you will not be able to change anything in your docbase. So a backup account based on a local or inline user is recommended (use case: LDAP goes down and they rebuild the server with a new IP / URL, then you need to change it in the repository).
I have ran repositories with an Active Directory account as install owner. Since AD is also LDAP your proof has been delivered. Maybe your customer is not willing to accept AD as proof though. For other LDAPs I haven’t seen the requirement; most of the Unix people prefer local accounts anyway.
Jord said
As a side note: if you plan on using SSO with Tomcat: don’t go for the easy implementation (can’t recall the name exactly, but I guess it is called JCIFS). This one will hit the LDAP server on every Webtop page load.