Creating ACLs for File-Based Authentication
Proxy Server supports the use of file-based authentication databases, which store user and group information in text format in flat files. The ACL framework is designed to work with the file authentication database.
Note –
Proxy Server does not support dynamic flat files. The flat file database is loaded when the server starts up. Any changes to the files come into effect only when the server is restarted.
This section describes how to create ACLs for directory services based on file authentication and on digest authentication.
An ACL entry can reference a user database using the database keyword. For example:
acl "default"; authenticate (user) {... database="myfile";...};
The server-root/userdb/dbswitch.conf file contains an entry that defines the file authentication database and its configuration. For example:
directory myfiledb filemyfiledb:syntax keyfilemyfiledb:keyfile /path/to/config/keyfile
The following table lists the parameters supported by the file authentication database.
Table 8–2 Parameters Supported by the File Authentication Database|
Parameter |
Description |
|---|---|
|
syntax |
(Optional) Value is either keyfile or digest. If not specified, defaults to keyfile. |
|
keyfile |
(Required if syntax=keyfile) Path to the file containing user data. |
|
digestfile |
(Required if syntax=digest) Path to the file containing user data for Digest authentication. |
Caution – The maximum length of a line in a file authentication database file is 255. If any line exceeds this limit, the server fails to start and an error is logged in the log file.
Make sure a file-based authentication directory service is already configured before attempting to set ACLs using a file-based authentication database. For more information, see Configuring Directory Services.
Creating ACLs for Directory Services Based on File Authentication
To Create ACLs for Directory Services Based on File
Authentication
-
Access the Server Manager for the server instance.
-
On the Preferences tab, click the Administer Access Control link.
-
Select the ACL file from the drop-down list, and click Edit.
-
In the Access Control Rules For page, click the Users/Groups link for the ACL entry you want to edit.
The User/Group page is displayed in the lower frame.
-
From the drop-down list under Authentication Database, specify the key file database.
-
Click Update, and then click Submit to save your changes.
When you set an ACL against a key file-based file authentication database, the dbswitch.conf file is updated with an ACL entry, such as the sample entry given below:
version 3.0;acl "default";authenticate (user) {prompt = "iPlanet Web Proxy Server 4.0";database = "mykeyfile"; method = "basic";};deny (all) user = "anyone"; allow (all) user = "all";
Creating ACLs for Directory Services Based on Digest Authentication
The file authentication database also supports a file format suitable for use with Digest authentication, per RFC 2617. A hash based on the password and realm is stored. Clear text passwords are not maintained.
To Create ACLs for Directory Services Based on Digest
Authentication
-
Access the Server Manager for the server instance.
-
On the Preferences tab, click the Administer Access Control link.
-
Select the ACL file from the drop-down list, and click Edit.
-
In the Access Control Rules For page, click the Users/Groups link for the ACL you want to edit.
The User/Group page is displayed in the lower frame.
-
From the drop-down list under Authentication Database, specify the digest database.
-
Click Update, and then click Submit to save your changes.
When you set an ACL against a Digest authentication-based file authentication database, the dbswitch.conf file is updated with an ACL entry, such as the sample entry below.
version 3.0;acl "default";authenticate (user) {prompt = "filerealm"; database = "mydigestfile";method = "digest";}; deny (all) user = "anyone"; allow (all) user = "all";
- © 2010, Oracle Corporation and/or its affiliates