Searching for Users in multiple user stores

If you have configured multiple user stores, VIP Enterprise Gateway searches for a user in the user stores based on specific rules.
VIP Enterprise Gateway searches for a user in multiple user stores based on the following rules:
  • VIP Enterprise Gateway searches user stores in the order that they appear on the
    User Stores
    page. If you want to change the order of the search, re-order the user stores in the
    User Stores
    page.See
  • The user name provided as part of validation is replaced with the search filter that is provided in the user store configuration. VIP Enterprise Gateway binds the user name with the password provided. If the search query returns exactly one record, the user bind is attempted with the password provided. If no records are found or more than one user records are returned, the user search on that user store is skipped. VIP Enterprise Gateway uses the next user store to search for the user.
  • If the user name record has domain information as part of the user name (like
    domain\username
    for Active Directory), the user name is only validated against the user store which serves the specific domain.
The following table and scenarios provide some examples:
User Store Name
Domain
Users in the User Store
User Search Filter
Acme Financial
acme
cn=john_smith, ou=sales, dc=acme, dc=com
cn=john_smith, ou=eng, dc=acme, dc = com
cn=alice, ou=sales, dc=acme, dc=com
(cn=%s)
TrustedBank
trustedbank
c
n=john_smith, cn=users, dc=trustedbank, dc=com
(sAMAccountName=john_doe)
(sAMAccountName=%s)
XYZBank
xyzbank
cn=bob, cn=users, dc=xyzbank,dc=com
(sAMAccountName=bob)
(sAMAccountName=%s)
Scenario 1:
The user logs in as user
bob
. A user name match is not found in the Acme Financial user store nor the Trusted Bank user store, and the search fails in these user stores. However, the user
bob
is found in the XYZBank user store, and the user is allowed to log on.
Scenario 2:
The user logs in as user
john_doe
. In the Acme Financial user store, two instances are found for the user name
john_smith
. Because the user
john_smith
is not uniquely identified, VIP Enterprise Gateway skips the Acme Financial user store. Next, an instance of the user
john_smith
is found in the TrustedBank user store. Because the user
john_smith
is uniquely identified in the TrustedBank user store, the user
john_smith
is allowed to log on.
Scenario 3:
The user logs in as
xyzbank\bob
. In this case,
xyzbank
is identified as the domain and the XYZBank user store is identified as serving the domain. So, VIP Enterprise Gateway searches for the user
bob
only in the XYZBank user store. The user is found successfully and allowed to log on.