Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

Secure Global Desktop Authentication

User Identity

User Profile

System Authentication Mechanisms

Password Expiry

Security and Passwords

Active Directory Authentication

How Active Directory Authentication Works

User Identity and User Profile

Setting Up Active Directory Authentication

Preparing for Active Directory Authentication

Supported Versions of Active Directory

Domain Requirements

Network Requirements for Active Directory Authentication

Synchronizing System Clocks

SSL Connections to Active Directory

Configuring SGD for Kerberos Authentication

Kerberos Realms and KDCs

Active Directory Password Expiry

Network Protocols

KDC Timeout

How to Enable Active Directory Authentication

Anonymous User Authentication

How Anonymous User Authentication Works

User Identity and User Profile

Application Sessions and Password Cache Entries

How to Enable Anonymous User Authentication

LDAP Authentication

How LDAP Authentication Works

User Identity and User Profile

Setting Up LDAP Authentication

Preparing for LDAP Authentication

Supported LDAP Directories

Network Requirements for LDAP Authentication

LDAP Bind DN and Password Change

Authentication to Novell eDirectory

How to Enable LDAP Authentication

SecurID Authentication

How SecurID Authentication Works

User Identity and User Profile

Setting Up SecurID Authentication

Configuring SGD Servers as Agent Hosts

How to Configure an SGD Server as an Agent Host

How to Enable SecurID Authentication

Third-Party Authentication

How Third-Party Authentication Works

Search Local Repository

User Identity and User Profile

Search LDAP Repository

User Identity and User Profile

Use Default Third-Party Identity

User Identity and User Profile

Setting Up Third-Party Authentication

How to Enable Third-Party Authentication

SGD Administrators and Third-Party Authentication

Trusted Users and Third-Party Authentication

Information for Application Developers

How to Create a New Trusted User

UNIX System Authentication

How UNIX System Authentication Works

Search Unix User ID in Local Repository

User Identity and User Profile

Search Unix Group ID in Local Repository

User Identity and User Profile

Use Default User Profile

User Identity and User Profile

UNIX System Authentication and PAM

How to Enable UNIX System Authentication

Windows Domain Authentication

How Windows Domain Authentication Works

User Identity and User Profile

How to Enable Windows Domain Authentication

Passwords, Domains, and Domain Controllers

How to Specify a Domain Controller on a Different Subnet

Tuning Directory Services for Authentication

Filtering LDAP or Active Directory Logins

User Login Filter

Group Login Filter

How to Configure a User Login Filter

How to Configure the Group Login Filter

LDAP Discovery Timeout

Using Service Objects

How to Create an Active Directory Service Object

How to Create an LDAP Service Object

Password Expiry

LDAP Password Update Mode

Sites

Whitelists

Blacklists

Search Only the Global Catalog

Suffix Mappings

Domain Lists

Lookup Cache Timeout

LDAP Operation Timeout

Active Directory Authentication and LDAP Discovery

Troubleshooting Secure Global Desktop Authentication

Setting Log Filters for Authentication Problems

Denying Users Access to SGD After Failed Login Attempts

How to Enable the Login Failure Handler

How to Change the Number of Login Attempts

Users Cannot Log In to Any SGD Server

Using Shared Accounts for Guest Users

How to Share a User Profile Between Users

Solaris OS Users Cannot Log in When Security is Enabled

An Ambiguous User Name Dialog Is Displayed When a User Tries to Log in

3.  Publishing Applications to Users

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

UNIX System Authentication

UNIX system authentication enables users to log in to SGD if they have UNIX or Linux system accounts on the SGD host.

UNIX system authentication is enabled by default.

This section includes the following topics:

How UNIX System Authentication Works

UNIX system authentication supports the following search methods for authenticating users against a UNIX or Linux system user database and determining the user identity and profile:

These search methods are described in the following sections.

Search Unix User ID in Local Repository

At the SGD login screen, the user types a user name and password. The user name can be any of the following:

SGD searches the local repository for a user profile with a Name attribute that matches what the user typed. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute. If no user profile is found, the next authentication mechanism is tried.

If a user profile is found, the Login Name attribute of that object is treated as a UNIX or Linux system user name. This user name, and the password typed by the user, are checked against the UNIX or Linux system user database. If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in and no further authentication mechanisms are tried. If the authentication succeeds and the Login attribute for the user profile is enabled, the user is logged in.

This search method is enabled by default.

User Identity and User Profile

The matching user profile in the local repository is used for the user identity and user profile. In the SGD datastore, the user identity is in the Local namespace. In the Administration Console, the text “(Local)” is displayed next to the user identity. On the command line, the user identity is located in .../_ens.

Search Unix Group ID in Local Repository

SGD checks the user name and password typed by the user at the login screen against the UNIX or Linux system user database.

If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds, SGD searches for the user profile. See User Identity and User Profile for details. If the Login attribute of the user profile object is not enabled, the user cannot log in and no further authentication mechanisms are tried. If the Login attribute of the user profile is enabled, the user is logged in.

This search method is enabled by default.

User Identity and User Profile

The user identity is the UNIX or Linux system user name. In the SGD datastore, the user identity is in the User namespace. In the Administration Console, the text “(UNIX)” is displayed next to the user identity. On the command line, the user identity is located in .../_user.

SGD searches the local repository for a user profile cn=gid, where gid is the UNIX system group ID of the authenticated user. If found, this is used as the user profile. If the user belongs to more than one group, the user’s primary or effective group is used. If no user profile is found in the local repository, the profile object System Objects/UNIX User Profile is used for the user profile.

Use Default User Profile

SGD checks the user name and password typed by the user at the login screen against the UNIX or Linux system user database.

If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds, the user is logged in.

This search method is disabled by default.

User Identity and User Profile

The user identity is the UNIX or Linux system user name. In the SGD datastore, the user identity is in the User namespace. In the Administration Console, the text “(UNIX)” is displayed next to the user identity. On the command line, the user identity is located in .../_user.

The profile object System Objects/UNIX User Profile is used for the user profile. All UNIX system users receive the same webtop content.

UNIX System Authentication and PAM

SGD supports Pluggable Authentication Modules (PAM). UNIX system authentication uses PAM for user authentication, account operations, and password operations.

When you install SGD on Linux platforms, the SGD installation program automatically creates PAM configuration entries for SGD by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file.

When you install SGD on Solaris OS platforms, you must add PAM configuration entries manually. For example, you might add these entries for tarantella to the /etc/pam.conf file.

tarantella auth required pam_unix_auth.so.1
tarantella password required pam_unix_auth.so.1

How to Enable UNIX System Authentication

  1. In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.

    Go to the Global Settings -> Secure Global Desktop Authentication tab and click the Change Secure Global Desktop Authentication button.

  2. On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.
  3. On the System Authentication - Repositories step, select the Unix check box.
  4. On the Unix Authentication - User Profile step, select the check box for one or more search methods for finding the user profile.

    See How UNIX System Authentication Works for details on the search methods.

  5. On the Review Selections step, check the authentication configuration and click Finish.