Configuring LiveLink NTLM authentication 1

[Ch33kyMonk3y]

I am working on a proof of concept project to implement NTLM authentication with LiveLink

My user base numbers some 6000+ users all connecting to LiveLink from a Windows network domain, with the LiveLink server being a Unix box

As I understand it and from what I'm reading here :

https://knowledge.opentext.com/know...rectory Services 3.0.0 Release Notes&vernum=3

it is not natively possible to configure LiveLink Directory Services for NTLM authentication with LiveLink
if LiveLink is served from a Unix server and the active directory server against which we wish to authenticate
is on a Windows server

Have I understood this correctly and is there any way to get around this limitation?

I've seen the installation documentation for Directory Services version 3.1.0 here:

https://knowledge.opentext.com/know...nstallation and Administration Guide&vernum=1

but am not able to find any equivalent release notes confirming specific fixes or enhancements other than what I can see here:

http://communities.opentext.com/com...ll&objId=3387227&objAction=WikiView&vernum=26

 

[appnair]

I will try to put my thoughts here.
First DirSvcs has two functions,1 it provides seamless authentication,2 it provides synchronization(create/update/delete) of accounts.

If our users are part of a windows AD domain and when they open their browser and connect to livelink using the browser all the livelink server(albeit being running on UNIX) is receiving the REMOTE_USER variable.In IIS it is acheived by enabling IWA on the IIS webserver.In Unix depending on the
flavor there should be SSO plugins,I forget names,but several users in livelink are solaris people so they all have this working.

Open a support ticket with OpenText and very efficient directory services gurus like Chris Wagg will come to your rescue.While you are doing this I would suggest that you do read only ldap authentication which is way better that NTLM authentication(it also is done against AD)


Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

Certified OT Developer and probably certfiable,Livelink ECM Champion 2008

 

[Ch33kyMonk3y]

Thank you

A very comprehensive response

You've pretty much confirmed what I had a hunch was true

I've actually just had a conference call with LiveLink (product managers and technicians) and put the same question to them and they responded exactly as you have

I've actually already got my development Apache web server setup and running with the mod_ntlm DSO and have confirmed through a test cgi script that the web server correctly picks up my network login username (via $REMOTE_USER) and have tested this with my users across several domains with success in all cases, barring one domain with which we currently do not have any trust set up

I am looking to implement NTLM authentication rather than LDAP authentication as I want "seamless" authentication without any challenge for credentials via a login screen

Given what both you and LiveLink have confirmed for me today, I'm going to proceed now with next step configuration actions on my development server

One point to note is that I'm working with a former OpenText consultant on this project and it is his understanding and guidance that under Unix the option to choose NTLM does not appear for selection in the drop down list from within the LiveLink login configuration. His guidance is that this option is only available under Windows/IIS

Are you able to confirm this either way from what you understand about this?

I'll no doubt find out more on this for certain once we have a vanilla LiveLink install on our development webserver

 

[appnair]

I have not personally messed with unix since 2000 and that livelink was not SSO'ed.Several people use apache on linux for livelink so I know that SSO is available thru the apache libraries.if you get into a bind I can probably send you some names you could use

Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

Certified OT Developer and probably certfiable,Livelink ECM Champion 2008

 

[Ch33kyMonk3y]

Thanks for the your guidance appnair

I've asked my tech support to contact Chris Wagg at Livelink, so will see how they get on

I'll post back here as soon as we have SSO working as it may help others

 

[stvalluri]

Hi Appu,

I want to know about IWA in IIS. Some of our users are not able to authenticate seemlessly. We are on LL 9.7.0, windows 2003 IIS6, just upgraded to DS 3.0. I have disabled the 'Anonymous user' and enabled windows integration authentication. The remote_user value shows domain\username and is correct but I see a chunk of IE7 users having SSO issues, IIS passes on to livelink for authentication. Is there something that I am missing..
I myself am not able to recreate the problem.

 

[ggriffit]

Things to check would include what your setup is for Authentication - do you have Domain & Username or just Username specified ? What settings for passing credentials do you have in IE per security zone ?

Greg Griffiths
Livelink Certified Developer & ECM Global Star Champion 2005 & 2006

http://www.greggriffiths.org/livelink/

 

[appnair]

What Greg says the first part is on the livelink server side on your ds settings and the second is what you set in IE.

you can debug SSO problems from the user having the problem by executing the RH called func=admin.testargs this will spit out what the REMOTE_USER for that session and what livelink is receiving from the user's browser

Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

Certified OT Developer and probably certfiable,Livelink ECM Champion 2008

 

[Ch33kyMonk3y]

...just a brief update to confirm that we now have
NTLM authentication working in our test LiveLink instance running on Unix (Solaris 9)

Even though the OpenText Directory Services NTLM configuration options do not appear for a LiveLink Unix installation, my LiveLink technical expert has modified the "OpenText ini" file directly and added the relavent settings to enable NTLM authentication

Our tests show that we also now have NTLM authentication working across multiple domains using an enhanced version
of the mod_ntlm Apache module

I'll post back here later with more details on how we achieved this and also post details on which Apache mod_ntlm module version we're using

 

[appnair]

Excellent Ch33kyMonk3y's way to go,

I would urge you to Open up a free account in communities.opentext.com and post the actual steps (screen shots when relevent ) at the Administartors WIKI section..This would help a lot of people understand what DirSvcs is as I have a feeling that IIS livelink is almost at the path of extinction.If you need help co authoring,looking at script etc just shoot me an email.Just my thought nothing official about it.I myself have never been able to run Livelink on a IIS7 server.If anybody has had success post it here just the IIS side of things.

Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

Certified OT Developer and probably certfiable,Livelink ECM Champion 2008