Bookshelf Home | Contents | Index | PDF     

Siebel Security Guide > Configuration Parameters Related to Authentication > Siebel Gateway Name Server Parameters >

Parameters for LDAP or ADSI Authentication

This topic outlines the Gateway Name Server parameters related to LDAP or ADSI authentication. The LDAP or ADSI authentication parameters, described in Table 38, are defined for named subsystems of type InfraSecAdpt_LDAP; they can be set for the named subsystems LDAPSecAdpt or ADSISecAdpt, or a similar security adapter with a nondefault name.

Table 38. LDAP and ADSI Authentication Parameters
Parameter
Description

Application Password (alias ApplicationPassword)

Specifies the password in the directory for the user defined by the ApplicationUser parameter.

  • In an LDAP directory, the password is stored in an attribute.
  • In ADSI, the password is stored using ADSI user management tools; it is not stored in an attribute.

Application User (alias ApplicationUser)

Specifies the user name of a record in the directory with sufficient permissions to read any user's information and do any necessary administration.

This user provides the initial binding of the LDAP directory or Active Directory with the Application Object Manager when a user requests the login page, or else anonymous browsing of the directory is required.

You enter this parameter as a full distinguished name (DN), for example "uid=APPUSER, ou=people, o=example.com" (including quotes) for LDAP. The security adapter uses this name to bind.

NOTE:  You must implement an application user.

Base DN (alias BaseDN)

Specifies the Base Distinguished Name, which is the root of the tree under which users of this Siebel application are stored in the directory. Users can be added directly or indirectly below this directory.

A typical entry for an LDAP server might be:

BaseDN = "ou=people, o=domain_name"

where:

  • o denotes organization and is typically your Web site's domain name
  • ou denotes organization unit and is the subdirectory in which users are stored

A typical entry for an ADSI server might be:

BaseDN = "ou=people, DC=qatest, DC=siebel, DC=com"

Domain Component (DC) entries are the nested domains that locate this server. Therefore, adjust the number of DC entries to represent your architecture.

CRC (alias CRC)

 

Use this parameter to implement checksum validation in order to verify that each user gains access to the database through the correct security adapter.

This parameter contains the value calculated by the checksum utility for the applicable security adapter DLL. If you leave this value empty, then the system does not perform the check. If you upgrade your version of Siebel Business Applications, then you must recalculate and replace the value in this parameter. For more information, see Configuring Checksum Validation.

Credentials Attribute Type (alias CredentialsAttributeType)

Specifies the attribute type that stores a database account. For example, if CredentialsAttributeType is set to dbaccount, then when a user with user name HKIM is authenticated, the security adapter retrieves the database account from the dbaccount attribute for HKIM.

This attribute value must be of the form username=U password=P, where U and P are credentials for a database account. There can be any amount of white space between the two key-value pairs and no space within each pair. The keywords username and password must be lowercase.

If you implement LDAP or ADSI security adapter authentication to manage the users in the directory through the Siebel client, then the value of the database account attribute for a new user is inherited from the user who creates the new user. The inheritance is independent of whether you implement a shared database account, but does not override the use of the shared database account.

Hash DB Cred (alias HashDBPwd)

Specifies password hashing for database credentials passwords. For details, see About Password Hashing.

Hash User Password (alias HashUserPwd)

Specifies password hashing for user passwords. Uses the hashing algorithm specified using the HashAlgorithm parameter. For details, see About Password Hashing.

Password Attribute Type (alias PasswordAttributeType)

Specifies the attribute type under which the user's login password is stored in the directory.

The LDAP entry must be userPassword. However, if you use the LDAP security adapter to authenticate against Microsoft Active Directory, then set the value of this parameter to unicodePWD.

Active Directory does not store the password in an attribute so this parameter is not used by the ADSI security adapter. You must, however, specify a value for the Password Attribute Type parameter even if you are using the ADSI adapter. Specify a value of unicodePWD.

Password Expire Warn Days (alias PasswordExpireWarnDays)

(ADSI only)

Specifies the number of days to display a warning message before a password expires.

You can only specify a value for this parameter when the directory server in use is Active Directory. You can specify a value when the security adapter in use is an ADSI or LDAP security adapter.

Port (alias Port)

Specifies the port on the server computer that is used to access the LDAP server. Typically, use 389, the default value, for standard transmission or use 636 for secure transmission.

This parameter is used by the LDAP security adapter only. For ADSI, you set the port at the directory level, so this parameter is not used. You must, however, specify a value for the Port parameter even if you are using the ADSI adapter; specify either port 389 or 636.

Propagate Change (alias PropagateChange)

Set this parameter to TRUE to allow administration of the directory through Siebel Business Applications. When an administrator then adds a user or changes a password from within a Siebel application, or a user changes a password or self-registers, the change is propagated to the directory.

A non-Siebel security adapter must support the SetUserInfo and ChangePassword methods to allow dynamic directory administration.

Roles Attribute Type (alias RolesAttributeType)

Specifies the attribute type for roles stored in the directory. For example, if RolesAttributeType is set to roles, then when a user with user name HKIM is authenticated, the security adapter retrieves the user's Siebel responsibilities from the roles attribute for HKIM.

Responsibilities are typically associated with users in the Siebel database, but they can be stored in the database, in the directory, or in both. The user gets access to all of the views in all of the responsibilities specified in both sources. However, it is recommended that you define responsibilities in the database or in the directory, but not in both places. For details, see Configuring Roles Defined in the Directory.

Salt User Passwords (alias SaltUserPwd)

Set this parameter to TRUE to specify that salt values are to be added to user passwords before they are hashed. This parameter is ignored if the HashUserPwd parameter is set to FALSE.

Adding salt values to user passwords is not supported if you are using Web Single Sign-On. For further information on salt values, see About Password Hashing.

Salt Attribute (alias SaltAttributeType)

Specifies the attribute that stores the salt value if you have chosen to add salt values to user passwords. The default attribute is title.

Security Adapter Dll Name (alias SecAdptDllName)

Specifies the DLL that implements the security adapter API required for integration with Siebel Business Applications. The file extension need not be explicitly specified.

For example, enter sscforacleldap to implement the LDAP security adapter in a Windows implementation. For the ADSI security adapter, enter sscfadsi.

NOTE:  If you choose to use the IBM LDAP Client, instead of the Oracle Database Client, you must enter a value of sscfldap.

On supported UNIX operating systems, the file name can be libsscforacleldap.so or libsscforacleldap.sl. If the DLL name for the LDAP security adapter is used in a UNIX implementation, then it is converted internally to the actual filename.

Server Name (alias ServerName)

Specifies the name of the computer on which the LDAP or Active Directory server runs.

  • You must specify the fully qualified domain name of the LDAP server, not just the domain name. For example, specify ldapserver.example.com, not example.com.
  • If SSL is configured between the Siebel Server computer and the Active Directory server computer, you must specify the fully qualified domain name of the Active Directory server. If the Siebel Server and Active Directory server are in the same domain, then you can specify the Active Directory server's complete computer name or its IP address.

Shared Credentials DN (alias SharedCredentialsDN)

Specifies the absolute path (not relative to the BaseDN) of an object in the directory that has the shared database account for the application. If it is empty, then the database account is looked up in the user's DN as usual. If it is not empty, then the database account for all users is looked up in the shared credentials DN instead. The attribute type is still determined by the value of CredentialsAttributeType.

For example, if SharedCredentialsDN is set to:

"uid=HKIM, ou=people, o=example.com"

when a user is authenticated, the security adapter retrieves the database account from the appropriate attribute in the HKIM record. This parameter's default value is an empty string.

Shared DB Password (alias SharedDBPassword)

Specify the password associated with the Shared DB Username parameter.

Shared DB Username (alias SharedDBUsername)

Specify the user name to connect to the Siebel database. You must specify a valid Siebel user name and password for the SharedDBUsername and SharedDBPassword parameters.

Specify a value for this parameter if you store the shared database account user name as a parameter rather than as an attribute of the directory entry for the shared database account. To use this parameter, you can use either an LDAP directory or Active Directory. For more information, see Storing Shared Database Account Credentials as Profile Parameters.

Siebel Username Attribute Type (alias SiebelUsername
AttributeType)

If UseAdapterUsername is set to TRUE, then this parameter is the attribute from which the security adapter retrieves an authenticated user's Siebel user ID. If this parameter is left empty, then the user name passed in is assumed to be the Siebel user ID.

Single Sign On (alias SingleSignOn)

(TRUE or FALSE) If TRUE, then the security adapter is used in Web SSO mode, instead of using security adapter authentication.

SSL Database (alias SslDatabase)

Specifies whether Secure Sockets Layer (SSL) is used for communication between the LDAP security adapter and the directory.

If this parameter is empty, then SSL is not used. To use SSL, the value of this parameter must be the absolute path of the wallet, generated by Oracle Wallet Manager, that contains a certificate for the certificate authority that is used by the LDAP server.

Trust Token (alias TrustToken)

Applies only in a Web SSO environment.

The adapter compares the TrustToken value provided in the request with the value stored in the application configuration file. If they match, then the Application Object Manager accepts that the request has come from the SWSE, that is, from a trusted Web server. This parameter's default value is an empty string.

Use Adapter Defined Username (alias UseAdapterUsername)

(TRUE or FALSE) If TRUE, then this parameter indicates that when the user key passed to the security adapter is not the Siebel user ID, the security adapter retrieves the Siebel user ID for authenticated users from an attribute defined by the SiebelUsernameAttributeType parameter. The default value for UseAdapterUsername is FALSE.

User Password Hash Algorithm (alias HashAlgorithm)

Specifies the password hashing algorithm to use if HashUserPwd or HashDBPwd is TRUE. The default value, RSASHA1, provides hashing using the RSA SHA-1 algorithm. The value SIEBELHASH specifies the password hashing mechanism provided by the mangle algorithm from Siebel Business Applications (supported for existing customers only). For details, see About Password Hashing.

Username Attribute Type (alias UsernameAttributeType)

Specifies the attribute type under which the user's login name is stored in the directory. For example, if UsernameAttributeType is set to uid, then when a user attempts to log in with user name HKIM, the security adapter searches for a record in which the uid attribute has the value HKIM. This attribute is the Siebel user ID, unless the UseAdapterUsername parameter is TRUE.

If you implement an adapter-defined user name (UseAdapterUsername is set to TRUE), then you must set the OM - Username BC Field parameter appropriately to allow the directory attribute defined by UsernameAttributeType to be updated from the Siebel client. For more information about implementing an adapter-defined user name, see Configuring Adapter-Defined User Name.

WalletPassword

Specifies the password assigned to the Oracle wallet that contains the certificate for the certificate authority that is used by the LDAP server.
    
Siebel Security Guide Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices.