Siebel Security Guide > Security Adapter Authentication > Security Adapter Deployment Options >

Configuring the Application User

This topic describes how to configure the directory application user. The application user is not an actual user who logs into an application; it is a special user defined to handle access to the directory.

The application user is the only user with search and write privileges to the LDAP or ADSI directory and this user must be defined in the following authentication strategies that implement a Siebel security adapter:

• Security adapter authentication: LDAP, ADSI, custom (not database authentication)
• Web SSO authentication

By setting up an application user as the only user with search, read, and update privileges to the directory, you minimize the level of access of all other users to the directory and the administration required to provide such access.

The application user is defined in the directory with the following qualities:

• This user provides the initial binding of the LDAP or Active Directory server with the AOM when a user requests the login page. Otherwise, by default, the anonymous user provides the initial binding.
• This user has sufficient permissions to read any user's information in the directory and do any necessary administration. The application user does all searching and writing to the directory that is requested through the security adapter.

  In a Siebel security adapter implementation, the application user must have search and write privileges for all user records in the directory. In a Web SSO implementation, the application must have, at least, search privileges.

  NOTE:  If you are configuring an ADSI security adapter, ensure that the application user is either a domain user or has access to the directory server. If the application user cannot access the directory server, the authentication process fails.

• Permissions for the application user must be defined at the organization level (for example, OU for LDAP).

You maintain an unencrypted password for the application user in the directory, while an encrypted version of the password is used in other phases of the authentication process. An encryption algorithm is applied to the application user password before it is sent to the database. The application user login must also be set up with the encrypted version of the password.

Perform the following procedure to define the application user.

To configure the application user

1. In the directory, define a user that uses the same attributes as other users. Assign values in appropriate attributes that contain the following information:
   • Username. Assign a name of your choice. If you implement an adapter-defined user name, use that attribute. Otherwise, use the attribute in which you store the Siebel user ID, although the application user does not have a Siebel user ID.
   • Password. Assign a password of your choice. Enter the password in unencrypted form. If you implement an ADSI directory, you specify the password using Active Directory user management tools, not as an attribute.
2. For your Siebel security adapter, define the following parameter values for the security adapter's enterprise profile (such as LDAPSecAdpt or ADSISecAdpt) on the Siebel Gateway Name Server.
   • ApplicationUser. Enter the application user's full distinguished name (DN) in the directory, for example:

   ApplicationUser = "uid=APPUSER, ou=people, o=oracle.com"

   • ApplicationPassword. Enter the application user password (unencrypted).

For information about setting Siebel Gateway Name Server configuration parameters, see Siebel Gateway Name Server Parameters. For Developer Web Client, define these parameters in the corresponding section in the application configuration file, such as uagent.cfg for Siebel Call Center.

Application User and Password Expiration Policies

Typically, user administration in an LDAP or ADSI directory is performed through the application user. In addition, user policies that are set for the entire directory apply to the application user as well as to all other users.

If you implement a password expiration policy in the directory, exempt the application user from the policy so the application user's password will not expire. To do this, set the application user's password policy explicitly after the application user sets the password policy for the whole directory.

For more information about account policies and password expiration, see Login Security Features.