Bookshelf Home | Contents | Index | PDF |
Siebel Security Guide > Security Adapter Authentication > Requirements for the LDAP Directory or Active Directory > About Setting Up the LDAP Directory or Active DirectoryTo provide user access to a Siebel application implementing an LDAP or ADSI security adapter, the Siebel application must be able to retrieve credentials to access the database and the user's Siebel user ID. Therefore you must set up a directory from which a database account and a Siebel user ID can be retrieved for each user. Your LDAP directory or Active Directory must store, at a minimum, the following data for each user. Each piece of data is contained in an attribute of the directory:
It is recommended that you implement password hashing for both user passwords and database credentials stored in the directory. You can also define access control lists (ACLs) to restrict access to directory objects containing password information. For information on setting up directory ACLs, see your directory vendor documentation. For information on password hashing, see About Password Hashing. You can use additional user attributes to store data, for example, first and last name, as required by your authentication solution. If you create a new attribute object for your directory to store Siebel attributes (for example, Siebel User ID), then you can use the Private Enterprise Number that Siebel Business Applications has registered with the Internet Assigned Numbers Authority (http://www.iana.org) to provide a unique X.500 Object ID. This number is 1.3.6.1.4.1.3856.*. An additional type of data, roles, is supported, but is not required. Roles are an alternate means of associating Siebel responsibilities with users. Responsibilities are typically associated with users in the Siebel database, but they can instead be stored in the directory. Leave role values empty to administer responsibilities from within Siebel Business Applications. For more information, see Configuring Roles Defined in the Directory. About Creating the Application User in the DirectoryDepending on your authentication and registration strategies, and the options that you implement for your deployment, you must define a user, called the application user, in the directory. The application user is the only user who can read or write user information in the directory. Therefore, it is critical that the application user has appropriate search and write privileges to the directory. For information on creating the application user, see Configuring the Application User. For ADSI authentication, it is recommended that you use the Active Directory Delegation Control Wizard to define privileges for users in Active Directory. NOTE: If you are configuring an ADSI security adapter, then the application user must either be a domain user or have access to the directory server. If the application user cannot access the directory server, then the authentication process fails. |
Siebel Security Guide | Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices. | |