Security Guide for Siebel Business Applications > Security Adapter Authentication > Security Adapter Deployment Options >
Configuring the Application User
The application user must be used in the following authentication strategies that implement a Siebel security adapter:
- Security adapter authentication: LDAP, ADSI, custom (not database authentication)
- Web SSO authentication
By setting up an application user as the only user with search, read, and update privileges to the directory, you minimize the level of access of all other users to the directory and the administration required to provide such access.
The application user is a user that you define in the directory with the following qualities:
- This user provides the initial binding of the LDAP or Active Directory Server with the AOM when a user requests the login page. Otherwise, binding defaults to the anonymous user.
- This user has sufficient permissions to read any user's information in the directory and do any necessary administration. The application user does all searching and writing to the directory that is requested through the security adapter.
- Permissions for the application user should be defined at the organization level (for example, OU for LDAP).
NOTE: The application user is not an actual user who logs into an application, but rather a special user to handle access to the directory. You must implement an application user.
To configure the application user
- In the directory, define a user that uses the same attributes as other users. Assign values in appropriate attributes that contain the following information:
- Username. Assign a name of your choice. If you implement an adapter-defined user name, use that attribute. Otherwise, use the attribute in which you store the Siebel user ID, although the application user does not have a Siebel user ID.
- Password. Assign a password of your choice. The password should be entered in unencrypted form. If you implement an ADS directory, you specify the password using ADS user management tools, not as an attribute.
NOTE: In a Siebel security adapter implementation, the application user must have search and write privileges for all user records in the directory. In a Web SSO implementation, the application must have, at least, search privileges.
- For your Siebel security adapter, define the following parameter values for the security adapter's enterprise profile (such as
ADSISecAdpt) on the Siebel Gateway Name Server.
ApplicationUser = "uid=APPUSER, ou=people, o=siebel.com"
ApplicationPassword = application user password (unencrypted)
For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center.
For information about setting Siebel configuration parameters, see Configuration Parameters Related to Authentication.
Application User and Password Expiration Policies
Typically, user administration in an LDAP or ADS server is performed through the application user. In addition, user policies that are set for the entire directory apply to the application user as well as to all other users.
If you implement a password expiration policy in the directory, exempt the application user from the policy so the application user's password will not expire. To do this, set the application user's password policy explicitly after the application user sets the password policy for the whole directory.
For more information about account policies and password expiration, see Login Features.