000021290 - How to set up User Principal Name (UPN) mapping in RSA ClearTrust Agent 4.6 for Lotus Domino R5

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000021290
Applies ToRSA ClearTrust Agent 4.6 for Lotus Domino R5
RSA ClearTrust 5.5.3
Microsoft Windows 2000
IssueHow to set up User Principal Name (UPN) mapping in RSA ClearTrust Agent 4.6 for Lotus Domino R5
EXCEPTION_MESSAGE=Please verify that the identity mapping store parameters are set, RETURN_CODE=DATABASE_ERROR
CauseDatastore for RSA ClearTrust has not been configured for UPN Mapping
Resolution

To correct this issue, reconfigure the ldap.conf file to enable user mapping rules to be used, e.g.:

 

cleartrust.data.ldap.identity_mapping_store :iplanet

cleartrust.data.ldap.identity_mapping_store.basedn

:ou=ctscLibertyFederatedMappingRepository, dc=acme,dc=com


Create the ou=ctscLibertyFederatedMappingRepository object in the directory server.

Use the UserMappingExample program to configure the required mapping. The output below shows a mapping of  ?p3787? an RSA ClearTrust ID into ?Joe E Soap/acme? as a Lotus Domino UID.

AdminAPI connected.

 

Operation?

  (1) Create a mapping

  (2) Delete a mapping

  (3) Delete all mappings for a user

  (4) Delete all mappings for a domain

 [ 1 ]: 1

Configure user mapping arguments? [ no ]: yes

CT user ID (must exist!) [ test ]: p3787

Mapped name [ randomstring@yourdomain.com ]: Joe E Soap/acme

Mapped domain [ CT_WINDOWS_UPN ]: CT_DOMINO_UID

Creating mapping...

Done


Now a user attempts to connect to the web pages and authenticates to ClearTrust logon pages with the UserID ?bulk3787?. A sample of the AuthServer log is now shown below:

 

19:19:18:177 [*] [MUXWORKER-7] - TCPServerAPIAdaptor.getUserMapping( {PROVIDER_TYPE=GENERIC_USER, CT_NAME=p3787, MAPPED_DOMAIN=CT_DOMINO_UID}, {CLIENT_IP=192.168.0.2, CLIENT_PORT=2609} ) returning

{CT_NAME=p3787, MAPPED_DOMAIN=CT_DOMINO_UID, MAPPED_NAME=Joe E Soap/acme}

19:19:18:177 [*] [MUXWORKER-7] -        result: {CT_NAME=p3787, MAPPED_DOMAIN=CT_DOMINO_UID, MAPPED_NAME=Joe E Soap/acme}

 

 

Now a user attempts to connect to the web pages and authenticates to ClearTrust logon pages with the UserID ?bulk3787? and is connected into the Domino service with the mapped credentials of "Joe E Soap/acme".

Other RSA SecurCare knoweldegbase articles which may prove uesful:

RSA ClearTrust users keep looping to logon pagea25608    How to view RSA ClearTrust headers in Lotus Domino R5How to view RSA ClearTrust headers in Lotus Domino R5 
How to reinstall RSA ClearTrust Agent 4.6 for Lotus Domino 6.5.1a26634    How to reinstall RSA ClearTrust Agent 4.6 for Lotus Domino 6.5.1How to reinstall RSA ClearTrust Agent 4.6 for Lotus Domino 6.5.1
Error: 'Notes Initialization Failed' in RSA ClearTrust Agent 4.6 for Lotus Domino R5a21982    Error: 'Notes Initialization Failed' in RSA ClearTrust Agent 4.6 for Lotus Domino R5Error: "Notes Initialization Failed" in RSA ClearTrust Agent 4.6 for Lotus Domino R5
Error: 'Failed to load DSAPI module /opt/ctrust/agent-domino65-46/lib/libct_domino65_agent.a'a26664    Error: 'Failed to load DSAPI module /opt/ctrust/agent-domino65-46/lib/libct_domino65_agent.a'Error: "Failed to load DSAPI module /opt/ctrust/agent-domino65-46/lib/libct_domino65_agent.a"
RSA ClearTrust users keep looping to logon pagea28428    RSA ClearTrust users keep looping to logon pageRSA ClearTrust users keep looping to logon page 
Error 401: You are not authorized to perform this operation    Error 401: You are not authorized to perform this operation

For full documentation on using the ClearTrust Domino agent see the documentation which comes with the product.  Online copies are also available on SecurCare OnLine.

 

RSA ClearTrust Agent 4.6 Release Notes

https://knowledge.rsasecurity.com/docs/rsa_cleartrust/agent/46/docs/Release_Notes/relnote.html

 

RSA ClearTrust Agent 4.6 Installation and Configuration Guide

https://knowledge.rsasecurity.com/docs/rsa_cleartrust/agent/46/docs/WebServersInstallConfig.htm 

Notes

A rough guide to installing and running the ClearTrust Domino agent is available at ftp://ftp.rsasecurity.com/support/users/mjbond/DominoSupportGuide.zip and although the content is unofficial is is availble to supply to customers as a best endeavours guide.

Legacy Article IDa21981

Attachments

    Outcomes