proxyuser Object

The proxyuser common object contains the mapping information for users of SunScreen proxies. You manipulate the proxyuser through the administration GUI or the configuration editor. The proxy user object has the subtypes single and group. FTP Telnet, and (optionally) HTTP proxy rules reference the proxy user entries.

The proxyuser object is automatically saved when it is edited or a new proxyuser object is added. The change is saved immediately and is not repealed if the edit session is aborted. The Save button in the administration GUI remains greyed out, indicating that no Save is necessary due to such changes.

proxyuser objects store associations between authuser objects and a user ID (or other host-based user identifier) to be used by a proxy to authenticate and establish a user's identity on a "backend" server system. These associations, or "mappings", enable reusing the authentication information within authuser objects; by creating multiple mappings, any given authuser can be cast into different roles with respect to one's identity on different "backend" servers to be proxied. These mapping proxyuser objects are dubbed "simple" ones.

Finally, some proxyuser objects are considered "special" ones. Such objects are similar to simple objects but provide access paths to one or more user entities that can be authenticated by an external mechanism. RADIUS and SecurID are two such external mechanisms that are presently supported.

proxyuser objects are referenced in SunScreen proxy policy rules.

Each proxyuser object has a name. The name cannot contain the following characters:

! # $ % ^ & * { } [ ] < > " \ ? ` / @ NULL

You can choose names that coincide with existing real-world naming schemes for individuals, existing computer-based naming, or any other scheme. Thus, "hbovis (mechengg)", "sally.ann.studebaker", and "Rundum, Karr Bo - security" are all examples of legitimate proxyuser object names. The namespace of the proxyuser objects is disjoint from all others in the SunScreen firewall. (In particular, proxyuser names are different from those that name authuser objects.)

Tip: Choose names for proxyuser objects which can be readily entered by users.

Each proxyuser object has an enabled tag, so that you can turn it off for processing purposes without deleting it:

• ENABLED - Allows authentication processing to consider this object; this is the default.

• DISABLED - Disallows authentication processing from considering this object.

The two portions of the simple object mapping are: an authuser object reference and backend user name. Each of these is an optional field:

• AUTH_USER_NAME="authusername" - Specifies a reference to an authuser object with the given authorized user name. If this item is not present, then the proxyuser object does not require authentication.

• BACKEND_USER_NAME="backendname" - Specifies the system-dependent name, to be supplied to the backend server as the identity of the user of this mapping. (At present, this item should always be defined.)

In addition to simple entries, proxyuser objects also enable creating groups of sibling objects. The GROUP is a way to group proxy users that have the same privileges. Group proxyusers save time when creating rules. Before creating a proxy user group, define the proxy user objects for that proxy user group. These GROUP objects can contain zero or more references to other simple or group proxyuser objects. The group structures are maintained hierarchically, not flattened. For GROUP proxyuser objects the value fields are:

• MEMBER_NAME="mname" - Makes a reference to another proxyuser object mname by the one containing it. This item can be repeated as many times as needed to make references to all group members.

Any proxyuser object, regardless of type, may have the following optional attributes:

• DESCRIPTION="desc" - Specifies a plain-text description string desc to be associated with the user entry.