Clarity

Has anyone integrated Clarity with Active Directory for single sign-on ?.   Please share your experience. Thanks in advance,C Maly

Have you connected Clarity with LDAP yet?   Please share any experiences.   We plan to very shortly, I will keep you posted on our progress.   Thanks!   Linda

Hi Both,  Pls go through the Understanding LDAP and Clarity Authetication Guide Enclosed.It will help you.  Regards,Sundar

We are within a couple of weeks of going live with LDAP authentication integration. To date we have run it on a development system only. A couple of lessons I learnt from this:1. Expect to spend a little bit of time experimenting with the NSA settings to get them to work. Along side you should be sitting somebody who knows your particular LDAP configuration well.2. Having set up LDAP authentication successfully make sure you experiment with the two LDAP related jobs - particularly the "remove obsolete users" one. There is a danger that this will accidently remove access from legitimate users.3. Remember that not all users have to user LDAP authentication if this is turned on. Useful if you have some users who are not covered by the main LDAP system.4. We were originally planning to implement single sign on. After experimentation we have decided not to do this for a couple of reasons: it creates problems for those who need to move between more than one login (for example admins). Secondly it will not work without the correct server-side software installed. Search this forum for more details on the particulars of this. The manual is rather vague on this.

Hi,  i will add some more.  1. After integrating with ldap,if   any users raise an issue as an admin/support team that  requires  an login as the user to check/fix the issue we should first uncheck the Admin-->Resources-->External Authentication   Field(As the authentication will be done by ldap)and save it.Then we can set our own password and then analyze.After that again check the External Authentication and save it.  2. The cmn_sec_users table is the one which holds external authentication column.The  is_ldap column is set to 1 for ldap users,for non-ldap users it will be 0.so once you decided to gor ldap you can do an update on this column.For users like admin/job admin you need to set the is_ldap = 0.For that in NSA -->properties-->security--> you have to check Allow Non Ldap Users.  3. In Admin-->system options-->session options-->  pls set the invalid login limit to the same to that set in ldap and also set zero for the password expiration column.  4. For the first week of pdn rollout set the   com.niku.security in nsa -->logs-->edit configuration ( app-niku.log and bg-niku.log ) to debug mode,so it will be easy to fix ldap issues.And then revert back to Error mode as log size will be growing like any thing.   5. If possible put an note on the login page that the users should use ldap  username/pwd to login in to clarity.  (Mostly it will be the company ERP username/pwd as it will also be pointing to ldap).There are    lot of discussions available already for modifying the login page in old forums and Installation guide.  6. The services need to re-start are app and bg services after Ldap configuration in NSA.If any change you need to stop/start bg & app services.  7. Be familar with 2 LDAP Jobs mentione by Phil.  8. Get familar with LDAP Error codes so you can debug soon and finally have  good contact with the Ldap admin.    Cheers and Good Luck,Sundar    [left]

Hi All,      I need some urgent help regarding LDAP error in our environment LDAP - Synchronize New and Changed Users is getting failed with the following error messages.      ERROR 2009-10-12 08:34:53,547 [Dispatch Thread-30 : [url=mailto:bg@CLRTYDV-01]bg@CLRTYDV-01] niku.njs (none:none:none) Error executing job: 5003580  java.lang.Exception: Synchronize new and changed users job failed:  com.niku.security.directory.DirectoryServiceException: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:                             'OU=XYZ,OU=WXYZ,OU=XX,OU=***,DC=YY,DC=YYY'      ];                                        remaining name 'CN=CLARITY_USERS,OU=XYZ,OU=WXYZ,OU=XX,OU=***,,DC=YY,DC=YYY’                                                      at com.niku.security.directory.LDAPAddModifySyncAgent.scheduledEventFired(LDAPAddModifySyncAgent.java:52)                                                      at com.niku.njs.Dispatcher$BGTask.run(Dispatcher.java:265)                                                    at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:727)                                                    at java.lang.Thread.run(Thread.java:595)        Any suggestions?  

 Google searching:"javax.naming.NameNotFoundException" ldapLDAP: error code 32  suggest that there may be a problem in you LDAP search string, or perhaps something you expect to be in the ldap tree isn't. The  "LDAP: error code 32" is being directly returned from your search I believe.      

Thanks Paul,      I have review ldap_XXXX.xml file for today’s date and found there were 2 users included in the clarity user group with blank email id (Strange !!! :smileysurprised:  ) , removing those users from the group resolved the problem :smileyhappy:.  

Yes - blank email address (a mandatory attribute in Clarity) would be a problem - glad you found the problem.

Hi,Troubleshooting LDAP Sync Jobs  1) When an LDAP synchronization job or authentication process does not work as expected, do any of the following:Enable debug messages in the security component by doing the following: a.Edit bg-logger.xml and add the "com.niku.security" category.
 b.Set the priority to "debug".
 c.Restart the CA Clarity background (bg) service so that the changes take effect.
 d.Check the bg-niku.log file.
 e.If you have multiple bg services in your cluster, shut down all but one (to make sure the job is running on the server that you are debugging)    or enable debugging on all of them individually.
 
 
2) Check the LDAP synchronization log files in the /niku/Clarity/logs/ldapsync directory.  3) Check the users.xml file. This file contains a list of user names that are extracted from the LDAP server. If this file is missing,the communication between CA Clarity PPM and the LDAP server was unsuccessful.  4)Check the sync.xml file. This file contains the results from a gateway user import session. If this file is missing, the communication between CA Clarity PPM and the gateway was unsuccessful.5) - Examining the ldapsync_xxxx.xml file
The $CLARITY_HOME/logs/ldapsync/ldapsync_xxxx.xml file will the statistics of the job.   This file will indicate how many records were processed and
if the records are new or updated.   This file must be examined to ensure that all LDAP users have been updated in the Clarity application.
 
a) - Successful LDAP sync Results
Here is an example of the output of the ldapsync_nm_xxxx.xml file showing that there were records inserted and updated.   Note:   When new users are added, a default password is created in the Clarity Resource Properties but it is not used for authentication purposes.   Clarity will check the password on the LDAP server.

     
     
     
     
             
                     
                              ALL RECORDS
                     
                     
                              WARNING
                              New Users Password will be Defaulted to
                                      Value niku2000
                     
             
      b) - FATAL Error : Cannot insert NULLHere is an example of one error message that may appear in the ldapsync_nm_xxxx.xml file for a new user record:

-
  NIKU
  1234
  swithin
 
-
  FATAL
  This record has not been inserted
  ORA-01400: cannot insert NULL into ("NIKU"."CMN_SEC_USERS"."EMAIL_ADDRESS")
 
 
Cause
The email address is marked as a required field in the XOG users.xsd file.   If the email address is blank in the LDAP profile,
the Clarity application will not accept the profile and generate this fatal error message.   Ensure that all LDAP Attribute mapping fields have data
for importing into the Clarity application.   The job will stop at this point.   Correct this by entering in an email address in the LDAP server
for the specified user and execute the LDAP sync job again.  6)   Database LDAP Table InfoWhen LDAP is enabled, a record is entered into the CMN_DIRECTORY_SERVERS table.   This record also contains the latest date/timestamp when
the LDAP sync job successfully completed.You can check this table.  7) Number of users in the Directory ServiceTake the number of users into consideration that are to be loaded from the directory service into the Clarity application.  
This will impact processing times for the LDAP sync jobs.   The Batch Size field in the NSA > Security properties will help you
to manage the number of resources that will be processed at a time using the Clarity LDAP sync jobs.   Be sure to specify the same number
in the NSA that you have defined in your LDAP server.    8) LDAP Configuration: Group Name and Search FilterIn the NSA, you can configure different combinations of Group Name and Search Filter in order for your LDAP Sync Job to add the desired users to your
Clarity Application.
        a) You can configure a Group Name only.   If you define a Group Name, you must also have the appropriate value in the Group Identifier field.  
              You must enter member for MS Active Directory or uniquemember for Novell eDirectory.   Note:   nested groups configured within LDAP are not
              supported by the Clarity application.   Specify a Group Name that is not a ‘nested’ group name.  
             
        b) You can configure a Search Filter only.   If you have a set of users that do not belong to a single group you can define a search filter for
              a particular attribute.   If you configure a Search Filter only, you do not need to enter values for the Group Name or Group Identifier fields.
             
        c)  You can configure a Group Name and a Search Filter.   If you have a set of users that belong to a single group (nested groups within LDAP are
              not supported), AND you want to include additional users that may not be part of the group, but meet the criteria of a Search Filter, you can
              specify both a Group Name and a Search Filter.   When the LDAP sync jobs are executed, all users that match either the Group Name criteria
              OR the Search Filter criteria will be added, modified, or inactivated.  Cheers,sundar

Hi Chummar,  How are you? I don't know if you still have questions with SSO, LDAP/Active Directory and Clarity. We have it setup in a dev environment, and everything works well  Let me know if you need any information.  your friend,  Mike Brunak

Hello Mike,

We recently implemented Clarity along with Site minder for SSO. But we do need a non-SSO instance of Clarity for kind of a backdoor entry into Clarity. (We need to use the out-of-the-box admin users such as "nikuadmin" etc). But in order to access them, we need the Clarity home page coming up instead of the Site minder redirected link. Everything here is configured such that it takes us to the Site minder link (and so we cannot use any of the out of the box admin user ids). Please advise as to what you think can be done to get the non-SSO instance of Clarity, bypassing Site Minder?

Gayathri

Keep in mind that   you can integrate with LDAP and NOT run either of the two jobs supplied by Clarity.     They are not required.     We experimented a great deal in the beginning and determine that not running those two jobs was the best mode for us and here is why.  1) The first job will create users automatically in your environment.   However, if you are on financials like we are or if you do a lot of resource work, the LDAP repository is likely not going to have all of the attributes that Clarity needs to fully configure a user in your environment.     You also have no easy way to figure out which users Clarity recently created for you to go out and try to find them to clean them up.   It was easier for us (since my staff also does the hiring and contractor sourcing) to setup the users manually and then send a work order over to Security to have their account on the network setup.  2) The other job will make users inactive when they leave the company.     This would fine if it only turned off their login but it completely inactivates them.   Again, if you are on financials, this turns off the cost history of all the past work that resource did for you.   It looks like they were never there.     We manually turn them off for login and for time entry but leave the resource record active until all of the projects that resource had worked on are complete.   This is an annual clean up job for us but much better than the alternative.

Keep in mind that the original post/message from the user is in reference to using Clarity with LDAP for integration with SSO. Not many installations have actually configured the Single Sign On with Clarity. The LDAP integration itself is  fairly straightforward.

We are running 8.1.3 ...   not using Active Directory ...  Requirement:   when logging into Clarity, authenticate user credentials (user name, password) against LDAP server.   Perform without pushing data, without pulling data and without running either of the synchronization jobs.  Is this possible?   Is this reasonable?  Can this be accomplished merely by "Setting up Clarity for LDAP Authentication" (in NSA) as outlined in the Administration Guide?   Any extra setup required?   What about existing Resource entries with passwords which will not match values on LDAP server? Non issue?  Feedback is welcomed!   Thanks much!

  Hi,       we are in clarity 7.5.2 using LDAP (Not using active directory) for only username / pwd authentication. We are not using the 2 LDAP Jobs since all users exists in LDAP is existing in
    our clarity environment as we follow different process for user creation / de-activation so we don't want the Jobs to update the user credentials or create the user based on LDAP as     we are integrated with Peoplesoft ERP which is master database for resources and all users will be there,so we doing just authentication via LDAP.               Is this possible?           sun-->Yes possible.             Is this reasonable?     sun-->It all depends upon your requirement and how your users activation / de-activation happens.Is it sync with your ERP and how frequently you are updating user records in clarity                 based on your ERP.                       Can this be accomplished merely by "Setting up Clarity for LDAP Authentication" (in NSA) as outlined in the Administration Guide?   Any extra setup required?         sun-->You can view the installation guide and configure in NSA and all the points are given above(Ignore about 2 jobs).             What about existing Resource entries with passwords which will not match values on LDAP server? Non issue?         sun--> After NSA settings ,you should first check the Clarity Admin-->Resources-->External Authentication   Field(Then the authentication will be done by ldap)and save it.The username / pwd becomes non-editable.Then all                   the existing users authentication will be done in LDAP.And for new user creation process also you should do that.                   Pls go through the LDAP guide enclosed in the above post too.           Best of luck....       Cheers,       sundar  

Hi sundar,  Some further clarification if I could please...   In regard to your  suggestion "After NSA settings ,you should first check the Clarity Admin-->Resources-->External Authentication   Field(Then the authentication will be done by ldap)and save it."  Admin > Resource: Properties has an attribute 'External' (checkbox).   The    Admin Guide  indicates:   If the resource works for an outside company, select this box.    Therefore, I am unclear where to locate the "External Authentication Field".   Please advise.     Thanks and have a nice day!

^ No, thats a different (standard, normal, nothing to do with LDAP) field.  Once you activate LDAP then you also get an "External Authentication" field against the resource    Dave.

Hi,    After you choose use use LDAP in nsa (Re-start app) only the   External Authentication field will appear,otherwise it will not appear.Pls have a look at the snapshots...external -- If the resource works for an outside company, select this box.i.e -- consultants..  
 Cheers,sundar

Hi,  Configured NSA to use LDAP, etc.  ... Restarted application ... 'External Authentication' field  is NOT appearing in Resource Properties admin side of product.:smileysad:  Any/all advice welcomed!  Good day to all.

schardonstrunk wrote:
Keep in mind that   you can integrate with LDAP and NOT run either of the two jobs supplied by Clarity.     They are not required.     We experimented a great deal in the beginning and determine that not running those two jobs was the best mode for us and here is why.  1) The first job will create users automatically in your environment.   However, if you are on financials like we are or if you do a lot of resource work, the LDAP repository is likely not going to have all of the attributes that Clarity needs to fully configure a user in your environment.     You also have no easy way to figure out which users Clarity recently created for you to go out and try to find them to clean them up.   It was easier for us (since my staff also does the hiring and contractor sourcing) to setup the users manually and then send a work order over to Security to have their account on the network setup.  2) The other job will make users inactive when they leave the company.     This would fine if it only turned off their login but it completely inactivates them.   Again, if you are on financials, this turns off the cost history of all the past work that resource did for you.   It looks like they were never there.     We manually turn them off for login and for time entry but leave the resource record active until all of the projects that resource had worked on are complete.   This is an annual clean up job for us but much better than the alternative. Some interesting observations in here - thanks! You are quite right these jobs aare not mandatory. I'm not disputing your findings as it is clear you gave this a good deal of thought for your situation however  you should be able to identify recently created resources (I think) via cmn_sec_users.created_date - but of course you would have to seek that information to do the follow-on work.  I'm interested in what you mean by "turns off the cost history of all the past work that resource did for you"...  Did you consider submitting an enhancement request regarding more control over settings when de-activating resources?  

Hi,              Sundar already told how to configure LDAP Server (Novell Edirectory) with Clarity. I already configured LDAP with clarity in my machine which is using to learn. LDAP Server configuration will be changed based on your LDAP server which was configured (Tree and Context). Please look at the attached file.    Thanks Senthil

Excellent advice!   Thank you, Sentil.

 Hi,           External Authentication check box will be appear, once enabled use LDAP check box from NSA-Applocation Page. Please recheck the NSA Setting as per my attahced file. Once changed NSA Setting, you should restart the application services. then check the resource properties from admin.    ThanksSenthil.

Hi Senthil,  Thanks for the response.   We did follow the procedure you outlined and the 'External Authentication' attribute/checkbox does not appear on admin side of the product.   Will be opening a Case with Support on this...  Regards

Hi,  Have you re-started the BG,if not restart both   app & Bg and then check..  cheers,sundar

Hello Sundar,  Yes, stopped and restarted nsa bg... expected to see 'External Authentication' (but are not)  ...   Best Regards.

So, might it help to try this next?  niku stop bgniku remove bgniku add bgniku deploy bgniku start bg  

Hi,  Hmmm,  In what env is that pdn or development.If it is development you can try that...  Can you post the nsa-ldap settings snapshots here.  i have added my properties.xml file.   (/clarity/config/properties.xml).Pls check with yours.(Don't change any thing there)  In NSA   set the  com.niku.security in nsa -->logs-->edit configuration(app-niku.log and bg-niku.log )to debug mode,check any specific errors...  cheers,sundar

Hello again Sundar,  Yes, this in the Development instance.   We want to ensure LDAP integration meets our requirements prior to going to Production ...screen captures are attached ... I'll review your properties.xml (thanks!).   We're running 8.1.3.  Regards

Hi,  In the snapshot in the system -->LDAP Server URL   normally it will be like that  ldap://localhost:389ldaps://localhost:636ldap://10.20.195.58  But it is starting with //ldaptest.   ,pls check it.  Have you checked the Ldap server URL,is it working.Are u able to ping the ldap server from your cmd and the same vice versa..  cheers,sundar    

Good day Sundar,  ldaptest is the DNS name of our eDirectory ... what syntax should we use for the LDAP Server URL value in NSA?   Do we have to use ldap:// as the prefix?   Admin Guide offers no guidance on syntax ...  Best Regards

Hi  Enable com.security logs in NSA .Try logging into Clarity and see what if at all, you credentials are passed to LDAP server.  You should see these kind of messages in your log file  DEBUG 2009-09-30 09:53:24,897 [ApplicationServerThread] directory.LDAPDirectoryService (unknown:none:security.loginAction) ServerURL:ldaps://na.ldap.net:3269,Ldap URL:ldaps://na.ldap.net:3269
DEBUG 2009-09-30 09:53:25,100 [ApplicationServerThread] directory.LDAPDirectoryService (unknown:none:security.loginAction) Search Filter:(sAMAccountName=jangalas)
DEBUG 2009-09-30 09:53:25,100 [ApplicationServerThread] directory.LDAPDirectoryService (unknown:none:security.loginAction) Okay, you exist in this directory server. Now let me authenticate you.
DEBUG 2009-09-30 09:53:25,100 [ApplicationServerThread] directory.LDAPDirectoryService (unknown:none:security.loginAction) DN::CN=Siva Sai Ram Jangala,OU=Cons,OU=Extranet,DC=na
DEBUG 2009-09-30 09:53:25,100 [ApplicationServerThread] directory.LDAPDirectoryService (unknown:none:security.loginAction) Distinguished Name:CN=Siva Sai Ram Jangala,OU=Cons ,OU=Extranet,DC=na,DC=ldap,DC=net  Question to  Clarity  Gurus  Will external authentication be visible in application even though Allow Non Ldap users is unchecked in NSA? I  don't  have any environment to test this scenario. So, asking you folks.  ThanksSiva      

Hi,              Your attached file is shown you have configured the clarity with Weblogic or Websphere Server. Once Calrity configured Generic Web Server (Weblogic or websphere), application and nsa services are unmanaged from clarity. Application and NSA services are controlled by Weblogic or Websphere. We have configured clarity with default web server(Tomcat). I am not sure, use ldap option will be configured from NSA for all web server (Tomcat, Weblogic or Websphere). Please check your web server where you have configured application, if any option is there to enable LDAP or check with CA.      ThanksSenthil

Hi Senthil,  I really appreciate your response.   Thank you.   At the  same time I am a little concerned if our choice of app server (WebSphere) will prevent us from integrating Clarity with LDAP.   I am even more concerned  about having to  attempt to address this issue  with CA Support because when it comes to WebSphere, CA Support's  experience does not run very deep.  Your thoughts are welcomed.  Regards

Hi,  Are you using clustered environment,if so pls do the below in NSA.  Important! You must set up CA Clarity PPM for LDAP authentication for each server running an application service. To successfully complete this procedure,
you must understand how to configure an LDAP server. If you have a cluster of CA Clarity PPM servers, repeat the following procedure on each server in
the cluster.  There is nothing specific provided in any guides for Ldap configuration in weblogic / websphere / tomcat.  The URL part   -- As defined in Page no 202 in Installation Guide Under Ldap Server Section  
URL of the LDAP server.
For example:
ldap://localhost:389
If your LDAP server is SSL-enabled, use the LDAPS protocol in the URL (rather than the default LDAP protocol).
For example:
ldaps://localhost:489  Pls stop / start all the services including NSA,APP / Bg   and check..( As NSA / APP is controlled in weblogic so we need to check whether the changesmade are reflected or not )  cheers,sundar

Hello Sundar,  No, we are not in a clustered environment (a bit of a sore subject).   I have changed the LDAP Server URL to " ldap://ldaptest.odjfs.state.oh.us:389".   This should be consistent with the examples that are in the Installation Guide (thanks for pointing this out)... I have asked the WebSphere admin to restart the WAS service in the instance and am awaiting a response.   Then,  I'll stop and restart bg and then check to see if 'External Authentication' checkbox is available.    Thanks for your feedback.

Hello!    Thanks to all who have responded and offered suggestions related to configuring and troubleshooting LDAP (we're 8.1.3).   We're not ready for prime time yet:( ...here is an update on where we are:  - NSA...changed value of LDAP Server URL from "//ldaptest.odjfs.state.oh.us:389" to " ldap://ldaptest.odjfs.state.oh.us:389"    - NSA...selected checkbox for "Allow non-LDAP users"    - stopped and restarted Clarity WAS service      - NSA...stopped bg, started bg      unfortunately, "External Authentication"  does NOT appear on  Resource: Properties page      So, as far as next steps, CA Support has recommended deploying the niku.ear again and restarting the app.    Your feedback  for next steps is welcomed!!      

Hi  Go to http://letstalkclarity.blogspot.com/   ->Troubleshooting LDAP(article)->Follow the steps as mentioned..    ThanksSiva

sivasairam wrote:

Hi  Go to http://letstalkclarity.blogspot.com/   ->Troubleshooting LDAP(article)->Follow the steps as mentioned..    ThanksSiva

I have read ever entry in this thread and went to the "Let's Talk Clarity' blog. THANK YOU everyone! LDAP is set up and working. Users have been logging in for months. We have gel scripts to add and update resources but it connects to an Oracle database not AD. I need those emails on adds from AD! SO I really do not want to run the synch job so much as just pull the data. That is where I need HELP. Does anyone have GEL example to connect to LDAP? That would be awesome!

Thank you so much for all this expert help!

Cheers!
Vivian Fulk
TIAA-CREF

I found the issue.
I changed the Date/Time Format in the NSA to yyyyMMddHHmmss.0Z

Here is my serach filter (&(&(&(&(& (&(objectCategory=person)(objectClass=user) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) (|(employeetype=C)(employeetype=E)(employeetype=X))(mail=*)(cn=*)(sn=*)))))))

And the JOB concatenated the modifyTimeStamp and we had the wrong format in the NSA (without the .0Z on the end)

Search filter used to get users (using pagination):(&(objectClass=person)(&((&(&(&(&(& (&(objectCategory=person)(objectClass=user) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) (|(employeetype=C)(employeetype=E)(employeetype=X))(mail=*)(cn=*)(sn=*))))))))(modifyTimeStamp<=20100722142525.0+0000)))
DEBUG 2010-07-22 10:25:28,340 [Dispatch Thread-15 : bg@stwebdtt01-nyc] directory.LDAPDirectoryService (none:none:none) Total users: 9175

Hope this helps someone not make THAT same mistake!!!!

Cheers!
Vivian:*)

Thanks Vivian for letting everyone know!

Chris

Hi,       Please advise me, if i wrong. You'll be getting the 'External Authentication' field in the Admin --> Resource Properties page, once you Checked the 'Use LDAP' option in the NSA --> Application tab,even though you didn't properly configure the LDAP server details in the NSA --> Security' tab.  Once you properly cofigure the LDAP server details in NSA --> Security tab, you should be able to login to the clarity application by using LDAP User (External Authentication Should be checked in Admin --> Resource Properties).  If you are not able to Clarity Login, there are two chances for that.  1. The application will be check for the correctness of the LDAP server details which have configured in NSA --> Security Tab. If there are any mismatches in that, you'll get the below error message.  ERROR 2009-11-05 17:27:27,611 [ApplicationServerThread] directory.LDAPDirectoryService (unknown:none:security.loginAction)2. Once Clarity server able to communicate with LDAP Server and the details (User Name & Password) provided by the resource should be correct. otherwise you'll be getting the below error message.Authentication failed for::cn=1246713,ou=users,o=standardchartered::due to this reason::[LDAP: error code 49 - NDS error: failed authentication (-669)]In side the Security Tab, there will be an option called 'Allow non-LDAP users' (admin). If you didn't 'Check' the option, even 'Administrator'user also will not be able to login to the system. i.e.. to allow even non-LDAP users we have this option.  ThanksSenthil