Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

Specifying Users and Groups

With user and group authentication, users are prompted to provide a user name and password before they can access the resource specified in the access control rule.

The Proxy Server checks lists of users and groups stored either in an LDAP server, such as Oracle Directory Server Enterprise Edition, or in an internal file-based authentication database.

You can allow or deny access to everyone in the database, allow or deny specific people by using wildcard patterns, or select who to allow or deny from lists of users and groups.

The following elements are displayed for Users/Groups on the Access Control Rules For page in the user interface.

Anyone (No Authentication) is the default and means anyone can access the resource without providing a user name or password. However, the user might be denied access based on other settings, such as host name or IP address. For the Administration Server, this setting means that anyone in the administrators group that you specified for distributed administration can access the pages.
Authenticated People Only
- All In The Authentication Database matches any user who has an entry in the database.
- Only The following People specifies which users and groups to match. You can list users or groups of users individually by separating the entries with commas, or with a wildcard pattern, or you can select from the lists of users and groups stored in the database. Group matches all users in the groups you specify. User matches the individual users you specify. For the Administration Server, the users must also be in the administrators group you specified for distributed administration.
Prompt For Authentication specifies the message text that is displayed in the authentication dialog box. You can use this text to describe what the user needs to type. Depending on the operating system, users see approximately the first 40 characters of the prompt. Most browsers cache the user name and password and associate them with the prompt text. If the user accesses areas of the server files and directories that have the same prompt, the user does not need to retype user names and passwords. Conversely, if you want to force users to reauthenticate for various areas, you must change the prompt for the ACL on that resource.
Authentication Methods specifies the method the server uses for getting authentication information from the client. The Administration Server offers only the Basic method of authentication. The Server Manager offers the following methods:
- Default uses the default method specified in the obj.conf file, or Basic if there is no setting exists in obj.conf. If you select Default, the ACL rule does not specify a method in the ACL file. Choosing Default enables you to easily change the methods for all ACLs by editing one line in the obj.conf file.
- Basic uses the HTTP method to get authentication information from the client. The user name and password are only encrypted if encryption is turned on for the server (SSL is enabled). Otherwise, names and passwords are sent in clear text, and can be read if intercepted.
- SSL uses the client certificate to authenticate the user. To use this method, SSL must be turned on for the server. When encryption is on, Basic and SSL methods can be combined.
  
  Note –
  You can enable security only in reverse proxy mode and not in forward proxy mode.
- Digest uses an authentication mechanism that enables browsers to authenticate users based on user name and password without sending the user name and password as clear text. The browser uses the MD5 algorithm to create a digest value using the user’s password and some information provided by the Proxy Server. This digest value is also computed on the server side using the Digest authentication plug-in and compared against the digest value provided by the client.
  
  Note –
  Prompt For Authentication is a required parameter in Digest Authentication. Change the value to match the realm (required for digest file). For example, if in the digest file, you have configured all users to be in the realm test, then the Prompt For Authentication field should contain the text test.
- Other uses a custom method that you create using the access control API.
Authentication Database specifies the database that the server will use to authenticate users. This option is only available through the Server Manager. If you choose Default, the server looks for users and groups in a directory service configured as default. If you want to configure individual ACLs to use different databases, select Other, and specify the database. Non-default databases and LDAP directories must be specified in server-root/userdb/dbswitch.conf. If you use the access control API for a custom database, select Other, and type the database name.