Cognos - LDAP relationship

[CognosPolzovatel]

Do I correctly understand the Cognos-LDAP relationship. This is my translation of the relationship & process:

To bind a user to the LDAP server, the LDAP authentication provider must construct the distinguished name (DN). When an LDAP namespace has been configured to use the External identity mapping property for authentication, the LDAP provider binds to the directory server using the Bind user DN and password.

Hence, Cognos users get added via the Cognos Directory, for example. Versus being stored in the Cognos content store, they seem to be stored in an SDK namespace. This object seems to keep track of who the Cognos users are. When a user attempts to login to Cognos, the object performs a search in LDAP based on the provided credentials. If the provided credentials are appropriate and the user is indeed a Cognos user: the user is successfully logged in and is happy. Else, user is puzzled.

[SomeClown]

Not quite.

Cognos software does not manage users.  Users are provided to Cognos via an existing security provider (Active Directory, LDAP, NTLM, custom).  When assigning security, you pick a user or group from the security provider and associate it to a Cognos group or role.

The linkage between between security provider objects and Cognos group/roles is stored in an unreadable format.  Thus, you must use the SDK to parse the information into a readable format -- the example link showed how to save this information into a database.

External binding credentials are used to display error messages upon authentication failure.  This account reads the provider to create error messages (e.g. password expired, invalid userid) to provide more information upon authentication failure.

Hope this helps.