Administering CA Output Management Web Viewer › User Authentication › LDAP Authentication › Auto Enrollment LDAP Users

Auto Enrollment LDAP Users

With LDAP authentication, users can automatically be added to a particular Role .

Auto Enrollment is similar to standard LDAP authentication because it also requires a Directory object to be associated with the particular Role.

A Role using LDAP authentication can allow or not allow auto enrollment:

• With auto enrollment turned on in the same Role, any user authenticated with the Directory referenced by the Role will be added to that Role. A new User object will be created if needed
• Without auto enrollment, even if a user passes LDAP authentication, the user will not be added to the Role. Only existing users of that Role will be able to login.

  User objects can be manually created from the user panel and added to the Role.

  For more information see Creating a New User Object and Assigning Users to Roles.

Note: Auto enrollment must be setup in the edit roll panel. For more information, see Setting the Role Authentication Method.

Auto Enrollment Considerations

• We suggest that you only attempt to auto enroll a single user into a single Role.
• Users can only be auto-enrolled into a single Role, unless the user uses a separate password for each Role, and each Role has a separate Directory setup.
• If the user is a member of an LDAP-authenticated Role do not attempt to use automatic enrollment to enroll them into another Role
• It is an administration error to have a user in more than one Role authenticated by different LDAP setups which share the same credentials.

  Your user will only be allowed to log in as Role A or Role B, and you cannot determine ahead of time which Role they will be logged into.

• Normally, CA OM Web Viewer will do the following:
  • Find the first LDAP role the user is eligible for with the supported credentials
  • Log the user into that Role, automatically enrolling them if necessary

    Be aware that CA OM Web Viewer does not continue to check to see if the user is eligible for other Roles.

• If you check mainframe security before LDAP security, some of your users might not be automatically enrolled. (See Preferred Security System Order).

  The following situations might occur if a user’s LDAP and mainframe credentials match and you check mainframe security before LDAP security.

  • Your user might be auto-enrolled into the Default User Role with the mainframe credentials if the user’s mainframe credentials are the same as the LDAP credentials.
  • Additionally, the user might be logged into a different Role that uses mainframe credentials for authentication.