Searching for Users in multiple user stores
If you have configured multiple user stores, VIP Enterprise Gateway searches for a user in the user stores based on specific rules.
VIP Enterprise Gateway searches for a user in multiple user stores based on the following rules:
- VIP Enterprise Gateway searches user stores in the order that they appear on theUser Storespage. If you want to change the order of the search, re-order the user stores in theUser Storespage.See
- The user name provided as part of validation is replaced with the search filter that is provided in the user store configuration. VIP Enterprise Gateway binds the user name with the password provided. If the search query returns exactly one record, the user bind is attempted with the password provided. If no records are found or more than one user records are returned, the user search on that user store is skipped. VIP Enterprise Gateway uses the next user store to search for the user.
- If the user name record has domain information as part of the user name (likedomain\usernamefor Active Directory), the user name is only validated against the user store which serves the specific domain.
The following table and scenarios provide some examples:
User Store Name | Domain | Users in the User Store | User Search Filter |
|---|---|---|---|
Acme Financial | acme | cn=john_smith, ou=sales, dc=acme, dc=com cn=john_smith, ou=eng, dc=acme, dc = com cn=alice, ou=sales, dc=acme, dc=com | (cn=%s) |
TrustedBank | trustedbank | c n=john_smith, cn=users, dc=trustedbank, dc=com (sAMAccountName=john_doe) | (sAMAccountName=%s) |
XYZBank | xyzbank | cn=bob, cn=users, dc=xyzbank,dc=com (sAMAccountName=bob) | (sAMAccountName=%s) |
Scenario 1:
The user logs in as user
bob
. A user name match is not found in the Acme Financial user store nor the Trusted Bank user store, and the search fails in these user stores. However, the user bob
is found in the XYZBank user store, and the user is allowed to log on. Scenario 2:
The user logs in as user
john_doe
. In the Acme Financial user store, two instances are found for the user name john_smith
. Because the user john_smith
is not uniquely identified, VIP Enterprise Gateway skips the Acme Financial user store. Next, an instance of the user john_smith
is found in the TrustedBank user store. Because the user john_smith
is uniquely identified in the TrustedBank user store, the user john_smith
is allowed to log on. Scenario 3:
The user logs in as
xyzbank\bob
. In this case, xyzbank
is identified as the domain and the XYZBank user store is identified as serving the domain. So, VIP Enterprise Gateway searches for the user bob
only in the XYZBank user store. The user is found successfully and allowed to log on.