LDAP authentication model

Description of the LDAP authentication processing model.

You enable LDAP authentication at both the database set level and the individual user level. This approach allows Rational® ClearQuest® to support a mixed authentication environment. A database set that you configure for LDAP authentication can support users marked for Rational ClearQuest authentication and users marked for LDAP authentication, as shown in Figure 1. When you configure the Rational ClearQuest database set for LDAP authentication, you specify whether Rational ClearQuest attempts Rational ClearQuest authentication first. If that attempt fails, Rational ClearQuest tries LDAP authentication and after tries the Rational ClearQuest authentication.

Figure 1. LDAP and Rational ClearQuest user authentication
Authentication sequence when LDAP is authenticated first.
For a database set that you configure for LDAP, Rational ClearQuest performs user authentication in the following sequence:
  1. A user enters a user name and password and selects a database in the Rational ClearQuest Login window.
  2. Rational ClearQuest searches the user database for a user profile record whose Login name field value matches the user name that the user entered in the Login window. If Rational ClearQuest finds a match and the user profile record is marked for Rational ClearQuest authentication, Rational ClearQuest performs traditional Rational ClearQuest authentication. Proceed to Step 6.

    If Rational ClearQuest finds a match and the user profile record is marked for LDAP authentication, or if Rational ClearQuest does not find a match, Rational ClearQuest attempts to authenticate the user against LDAP. Proceed to Step 3.

  3. Rational ClearQuest searches the LDAP directory for a user record. Rational ClearQuest uses the user name from the Login window plus search criteria that you specify when you configure the database set for LDAP authentication. If Rational ClearQuest finds a matching user record, it authenticates the user by having the LDAP server compare the password that the user entered in the Login window with the password in the LDAP user record. If the LDAP authentication succeeds, Rational ClearQuest proceeds to correlate the LDAP user record with a Rational ClearQuest user profile record.
  4. Rational ClearQuest retrieves attributes from the user record that it finds in the LDAP directory.
  5. Rational ClearQuest searches the database set for a user record that corresponds to the LDAP directory user record. When you configure the database set for LDAP authentication, you specify a Rational ClearQuest record field and an LDAP user record attribute to be used for mapping. Rational ClearQuest searches for a record whose mapping field contains the same value as the mapping attribute in the LDAP user record. If Rational ClearQuest finds a match, proceed to Step 6.
  6. Rational ClearQuest checks to see if the user is authorized to access the database and what privileges and groups are assigned to the user.
Parent topic: Using LDAP with Rational ClearQuest
Related concepts:
Setting up LDAP authentication
Syntax
GUI changes to support LDAP
Related reference:
Before you set up LDAP
Summary: performing LDAP-related administrative tasks