Authentication by Username and Password

A username and password are required for each execution of a command.

• The CLI provides a login command to allow username/password pairs to be stored in a credentials file in the administrator's home directory. This file is named .apocpass and has restricted access. When the login command is used, the CLI checks to see if a .apocpass file exists in the home directory. If it does, and if the file does not have the correct permissions, i.e. 600, then the command exits with an error. If a username has been specified, then the user is prompted for a password. Otherwise the user is prompted for a username and password. This username and password is authenticated using anonymous access. If anonymous access is not supported, the user is prompted to enter an authorized DN and password. If authentication is successful, an entry is added to the .apocpass file. The key for this entry is made up of the server/port/base DN and the username.

  For example, the user “jmonroe” could store a password for server cdelab1.ireland.sun.com, on port 389, with base entry o apoc using the key cdelab1.ireland.sun.com:389;o=apoc:jmonroe. The value stored is the user DN and password. In this way, the user/password pair for a number of users for this back end can be stored. Similarly, username/password pairs can be stored for other back ends. Once the login command has successfully completed, other CLI commands can be executed without the necessity of specifying a username or password.

• For other commands, the CLI first checks to see if an .apocpass file exists for this user. If one does not exist, the user is prompted for a username and password. If this username and password is successfully authenticated, the command is executed. If the credentials file does exist and a username has been specified at the command line, the CLI looks for an entry for this host, port, base DN and username. If entry exists, the stored user DN and password is used to execute the command, otherwise the user is prompted for a password. If a username is not specified at the command line, the .apocpass file is searched for keys using the host/port and base DN combination. If there is a unique entry for this combination, the stored user DN and password is used to execute the command. If the entry is not unique, the user is prompted for a username. If this matches an entry, the stored user DN and password is used to execute the command. If this does not match, then the user is prompted for a password. Where the user is prompted for a password, an entry from the .apocpass file for this host/port/baseDN combination is used to authenticate the username and password. If such an entry does not exist, anonymous access is used for the authentication.