How do we use user names longer than 10 characters to login to TEP?
Start by enabling LDAP at TEPS. Ensure that the same user does not exist in two different repositories. It is recommended that you leave sysadmin OUT of the LDAP repository. The TEPS database stores information about users in the KFWUSER table, and the users cannot be longer than 10 characters. Therefore, the basic functioning is as follows:
(1) Let a user 'longusername1' be defined in LDAP directory.
(2) Login to TEP as sysadmin and define a new user account. In this example, enter the user id as 'longuser1' (i.e. containing less than 10 characters)
(3) Select the DN corresponding to the following entry and set and save the permissions:
(4) There will now be an entry in KFWUSERALIAS which maps the DN to the short username
(5) By default, we use the value within the uid attribute within the LDAP repository. This means that when the user wishes to log in they must enter the value of uid which is specified for cn=longusername1,ou=xxx,ou=yyy,o=ITMSSOEntry. In this case, it will be 'longusername1'
(6) Then the following occurs:
(i) TEPS sends eWAS the login ID ("longusername1")
(ii) eWAS performs a principal name search against ITMSSOEntry for person accounts with "longusername1" in the uid field
(iii) If it finds a match it stores away the response: cn=longusername1,ou=xxx,ou=yyy,o=ITMSSOEntry (iv) It verifies that the password entered matches that of the matched entry
(v) It consults the KFWUSERALIAS table to find the USERID that corresponds to the DN and uses this to determine what privileges are available for the TEP session, as defined in KFWUSER
(vi) It allows the user to login and now just treats the user as "longuser1"
(7) Once past the last step, the TEPS then treats the USERID as any other account and does not care whether it is an LDAP account or not.