Siebel Security Guide > Security Adapter Authentication > Security Adapter Deployment Options >
Configuring the Application User
This topic describes how to configure the directory application user. The application user is not an actual user who logs into an application; it is a special user defined to handle access to the directory. The application user is defined as the only user with search, read and write privileges to the LDAP directory or Active Directory. This minimizes the level of access of all other users to the directory and the administration required to provide such access. The application user must be defined in the following authentication strategies that implement a Siebel security adapter:
About Application User Permissions
The application user is the only user who can read or write user information in the directory. Therefore, it is critical that the application user has appropriate privileges to the directory. The application user must be defined in the directory with the following qualities:
- The application user provides the initial binding of the LDAP or Active Directory server with the Application Object Manager when a user requests the login page. Otherwise, binding defaults to the anonymous user.
- Assign the application user sufficient permissions to read any user's information in the directory and do any necessary administration:
- If you are configuring an ADSI security adapter, then the application user must either be a domain user or have access to the directory server. If the application user cannot access the directory server, then the authentication process fails.
- Permissions for the application user must be defined at the organization level (for example, OU for LDAP).
Defining the Application User
The following procedure describes how to define the application user. To define the application user
- Define a user in the directory, using the same attributes as for other users.
Assign values in appropriate attributes that contain the following information:
- Username. Assign a name of your choice. If you implement an adapter-defined user name, then use that attribute (for further information, see Configuring Adapter-Defined User Name). Otherwise, use the attribute in which you store the Siebel user ID, although the application user does not have a Siebel user ID.
- Password. Assign a password of your choice. Enter the password in unencrypted form. If you are using an Active Directory, then you specify the password using Active Directory user management tools, not as an attribute.
You maintain an unencrypted password for the application user in the directory, while an encrypted version of the password is used in other phases of the authentication process. An encryption algorithm is applied to the application user password before it is sent to the database. The application user login must also be set up with the encrypted version of the password.
- Assign appropriate permissions to the application user in the directory as described in About Application User Permissions.
- For your Siebel security adapter, define the following parameter values for the security adapter's enterprise profile (such as LDAPSecAdpt or ADSISecAdpt) on the Siebel Gateway Name Server.
ApplicationUser = "uid=APPUSER, ou=people, o=example.com"
- ApplicationPassword. Enter the application user password (unencrypted).
For information about setting Siebel Gateway Name Server configuration parameters, see Siebel Gateway Name Server Parameters. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Gateway Name Server authentication, define these parameters in the gateway.cfg file.
Application User and Password Expiration Policies
Typically, user administration in an LDAP or ADSI server is performed through the application user. In addition, user policies that are set for the entire directory apply to the application user as well as to all other users. If you implement a password expiration policy in the directory, then exempt the application user from the policy so the application user's password will not expire. To do this, set the application user's password policy explicitly after the application user sets the password policy for the whole directory. For more information about account policies and password expiration, see Login Security Features.
|