Siebel Security Guide > Security Adapter Authentication > Security Adapter Deployment Options >

Configuring the Shared Database Account

You can configure your authentication system so that a designated directory entry contains a database account that is shared by many users; this is the shared database account. The shared database account option can be implemented in the following authentication strategies:

• Security adapter authentication: LDAP, ADSI, custom (not database authentication)
• Web SSO authentication

By default, the shared database account option is not implemented, and each user's database account exists in an attribute of that user's record in the directory. Because all externally authenticated users share one or a few database accounts, the same credentials are duplicated many times. If those credentials must be changed, then you must edit them for every user. By implementing a shared credential, you can reduce directory administration.

The shared database account option can be specified for the LDAP and ADSI security adapters as follows:

• The shared database account credentials can be specified in an attributes of the shared database account record in the directory. Database credentials are retrieved from the shared database account if they are available to be extracted. If database credentials are not available from the shared database account, then they are instead retrieved from the user. For information, see Storing Shared Database Account Credentials as Directory Attributes.
• The shared database account credentials can be specified as profile parameters (SharedDBUsername and SharedDBPassword) for the LDAP or ADSI Security Adapter profiles. If you want to implement a shared database account, then it is recommended that you specify database credentials as profile parameters. For information, see Storing Shared Database Account Credentials as Profile Parameters.

When storing database credentials in a directory attribute, both the user name and password are stored as plain text, even if you implement database credentials password hashing (in this case the hashed password is maintained in the database, while an unhashed version of the password is stored in the directory). Specifying database credentials as profile parameters avoids having to store database credentials as plain text in the directory.

Shared Database Accounts and Administrative Users

Even if you implement a shared database account with external directory authentication, the shared database account cannot be used for any user who requires administrator access to Siebel Business Applications functionality, for example, any user who has to perform Siebel Server management and configuration tasks. For these users, you must either:

• Create a separate database account.

  The database account user ID and password you create for the user must match the user ID and password specified for the user in the external directory.

• Do the following:
  • Implement LDAP or ADSI authentication for the Gateway Name Server.
  • Create a user account record in the directory for the user requiring administrator access.
  • In the attribute of the record that is used to store role information, specify the user role that is required to access the Gateway Name Server: Siebel Administrator is the default role.

The following topics describe in more detail how the LDAP and Active Directory servers use the shared database account option.

Storing Shared Database Account Credentials as Directory Attributes

This topic describes how to implement a shared database account and store the database credentials as attributes of the directory entry you create for the shared database account. This option is available to you when you use either the LDAP or ADSI security adapters.

To store shared database credentials in an attribute of the directory entry

1. Create a database account to be shared by all users who log into a given Siebel application; the account must have administrator privileges.
2. Create a designated entry in the directory, and enter the user name and password parameters for the shared database account in one of that entry's attributes, such as the dbaccount attribute. You might have to create this attribute.

   NOTE:  The user name and password you specify for the shared database account must be a valid Siebel user name and password and must have administrator privileges.

   For information about formatting a directory attribute that contains the database account, see Requirements for the LDAP Directory or Active Directory.

3. For each security adapter that implements this shared database account, specify values for the parameters shown in the following table.

   Parameter	Value
   CredentialsAttributeType	Enter the attribute in which the database account is stored in the directory, for example, dbaccount.
   SharedCredentialsDN	Enter the distinguished name (including quotes) for the designated entry, such as: "uid=SHAREDENTRY, ou=people, o=example.com"

   For information about setting Siebel Gateway Name Server configuration parameters, see Siebel Gateway Name Server Parameters. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center. For Gateway Name Server authentication, define these parameters in the gateway.cfg file.

Storing Shared Database Account Credentials as Profile Parameters

This topic describes how to configure a shared database account for an LDAP directory or Active Directory and how to store the database credentials for the account as parameters of either the LDAP or the ADSI Security Adapter profile.

It is recommended that you store shared database account credentials as profile parameters unless you have to store more than one set of database credentials, as only one set of database credentials can be stored as profile parameters.

To store shared database credentials as profile parameters

1. Navigate to the Administration - Server Configuration screen, Enterprises, and then the Profile Configuration view.
2. Select either the LDAPSecAdpt profile or the ADSISecAdpt profile.
3. Specify values for the following parameters for the LDAPSecAdpt or ADSISecAdpt profile.

   Parameter	Value
   SharedDBUsername	Enter the user name to connect to the Siebel database.
   SharedDBPassword	Enter the password to connect to the Siebel database

   NOTE:  You must specify a valid Siebel user name and password for the SharedDBUsername and SharedDBPassword parameters.