Siebel Security Guide > Security Adapter Authentication > Security Adapter Deployment Options >

Configuring the Application User

This topic describes how to configure the directory application user. The application user is not an actual user who logs into an application; it is a special user defined to handle access to the directory. The application user is defined as the only user with search, read and write privileges to the LDAP directory or Active Directory. This minimizes the level of access of all other users to the directory and the administration required to provide such access.

The application user must be defined in the following authentication strategies that implement a Siebel security adapter:

• Security adapter authentication: LDAP, ADSI, some custom security adapter implementations

  You do not have to define an application user if you implement a database security adapter.

• Web SSO authentication

  Whether or not an application user must be defined depends on how you have implemented the Web SSO solution.

About Application User Permissions

The application user is the only user who can read or write user information in the directory. Therefore, it is critical that the application user has appropriate privileges to the directory. The application user must be defined in the directory with the following qualities:

• The application user provides the initial binding of the LDAP or Active Directory server with the Application Object Manager when a user requests the login page. Otherwise, binding defaults to the anonymous user.
• Assign the application user sufficient permissions to read any user's information in the directory and do any necessary administration:
  • In a Siebel security adapter implementation, the application user must have search and write privileges for all user records in the directory. In a Web SSO implementation, the application user must have, at least, search privileges.
  • For ADSI authentication, it is recommended that you use the Active Directory Delegation of Control Wizard to define privileges for users in Active Directory.

    If you are using a Microsoft Active Directory server, then you must use the Delegation of Control Wizard to assign the following permissions to the application user on the Users base DN:

    • Create, delete, and manage user accounts
    • Reset passwords on user accounts
    • Read all user information
• If you are configuring an ADSI security adapter, then the application user must either be a domain user or have access to the directory server. If the application user cannot access the directory server, then the authentication process fails.
• Permissions for the application user must be defined at the organization level (for example, OU for LDAP).

Defining the Application User

The following procedure describes how to define the application user.

To define the application user

1. Define a user in the directory, using the same attributes as for other users.

   Assign values in appropriate attributes that contain the following information:

   • Username. Assign a name of your choice. If you implement an adapter-defined user name, then use that attribute (for further information, see Configuring Adapter-Defined User Name). Otherwise, use the attribute in which you store the Siebel user ID, although the application user does not have a Siebel user ID.
   • Password. Assign a password of your choice. Enter the password in unencrypted form. If you are using an Active Directory, then you specify the password using Active Directory user management tools, not as an attribute.

     You maintain an unencrypted password for the application user in the directory, while an encrypted version of the password is used in other phases of the authentication process. An encryption algorithm is applied to the application user password before it is sent to the database. The application user login must also be set up with the encrypted version of the password.

2. Assign appropriate permissions to the application user in the directory as described in About Application User Permissions.
3. For your Siebel security adapter, define the following parameter values for the security adapter's enterprise profile (such as LDAPSecAdpt or ADSISecAdpt) on the Siebel Gateway Name Server.
   • ApplicationUser. Enter the application user's full distinguished name (DN) in the directory.

     For example, ApplicationUser can be set as in the following example:

   ApplicationUser = "uid=APPUSER, ou=people, o=example.com"

   • ApplicationPassword. Enter the application user password (unencrypted).

     For information about setting Siebel Gateway Name Server configuration parameters, see Siebel Gateway Name Server Parameters. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Gateway Name Server authentication, define these parameters in the gateway.cfg file.

Application User and Password Expiration Policies

Typically, user administration in an LDAP or ADSI server is performed through the application user. In addition, user policies that are set for the entire directory apply to the application user as well as to all other users.

If you implement a password expiration policy in the directory, then exempt the application user from the policy so the application user's password will not expire. To do this, set the application user's password policy explicitly after the application user sets the password policy for the whole directory. For more information about account policies and password expiration, see Login Security Features.