Sun Java System Web Server 7.0 Update 3 Administrator's Guide

Working With Authentication Database

Authentication Database, also referred to as auth-db, represents a database of known users and the mechanism for authenticating client requests against that database. The server can have multiple auth-db entries configured at the same time and these may be of the same type. The auth-db user databases are used by the ACL processing module.

The server supports the following authentication databases:

  1. LDAP — The user data is stored in an LDAP directory server, such as the Sun Java System Directory Server.

  2. File — The user data is stored in a disk file. This auth-db is particularly convenient for development or small deployments where no centralized user management is available (or desired). The file auth-db supports several different file formats:

    1. keyfile — The keyfile format stores a list of users (and optional group memberships for each user). The password is stored as a one-way (unrecoverable) hash. This is the default format.

    2. digestfile — The digestfile is very similar to the keyfile and also supports the HTTP Digest authentication method.

    3. htaccess — This is a legacy format and should never be used for new installations or adding new users.

  3. PAM — PAM is the new auth-db supported by Web Server . The PAM auth-db delegates the authentication to the Solaris PAM stack, this allows existing Solaris users on the web server system to authenticate to the web server as well.


    Note –

    PAM auth-db is only supported in Solaris 9 and 10 (or higher) and the web server instance must be running as root.


Creating an Authentication Database

For creating an authentication database through the Administration Console, click Configurations > Configuration Name > Access Control > Authentication Databases > New button. Check out the Administration Console Inline help for field descriptions. Based on the selected Authentication Database, the fields change. For example, for PAM based Authentication DB, only the authentication DB name is required.

Required options for creating an Authentication Database is enumerated here:

LDAP 

  • Authentication Database Name

  • Host Name

  • Port

  • Base DN

Key FIle 

  • Authentication Database Name

  • File Path

Digest File 

  • Authentication Database Name

  • File Path

PAM 

  • Authentication Database Name

For creating an authentication database through CLI, execute the following command.


wadm> create-authdb --user=admin --password-file=admin.pwd 
--host=serverhost --port=8989 --config=config1 
--url=ldap://ldapserver.com:20002/dc=xxx,dc=sun,dc=com LDAP1

See CLI Reference, create-authdb(1).

In the above example, a URL has been specified for the authentication database. The type of authentication database is specified in this URL scheme. For example, ldap://ds.example.come/dc=example,dc=com configures an LDAP directory server as an authentication database.