The Users and Groups tab in the Administration Server is used to create and modify user entries. A user entry contains information about an individual person or object in the database.
Be sure to protect server security by ensuring that users do not have unauthorized access to resources. Proxy Server uses an ACL-based authorization and authentication model. For more information about ACL-based security, see Chapter 8, Controlling Access to Your Server. For additional security information, also see Chapter 5, Using Certificates and Keys.
This section describes how to create users in LDAP-based authentication databases, key file authentication databases, and digest file authentication databases.
When user entries are added to an LDAP-based directory service, the services of an underlying LDAP-based directory server are used to authenticate and authorize users. This section lists guidelines to consider when using an LDAP-based authentication database, and describes how to add users through the Proxy Server Administration Server.
Consider the following guidelines when using the Proxy Server administration console to create new user entries in an LDAP-based directory service:
If you provide a given name (or first name) and a surname, the user’s full name and user ID are automatically completed. The user ID is generated as the first initial of the user’s first name followed by the user’s last name. For example, if the user’s name is Billie Holiday, the user ID is automatically set to bholiday. You can replace this user ID with an ID of your own choosing if you wish.
The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the directory server ldapmodify command-line utility, if available, to create a user, unique user IDs are not ensured. If duplicate user IDs exist in your directory, the affected users will not be able to authenticate to the directory.
The base DN specifies the distinguished name where directory lookups occur by default, and where all Proxy Server Administration Server entries are placed in your directory tree. A distinguished name (DN) is the string representation for the name of an entry in a directory server.
At a minimum, you must specify the following user information when creating a new user entry:
Surname or last name
Full name
User ID
If any organizational units are defined for your directory, you can specify where you want the new user to be placed using the Add New User To list on the Create User page in the Administration Server. The default location is your directory’s base DN, or root point.
Note the following information about directory server user entries:
User entries use the inetOrgPerson, organizationalPerson, and person object classes.
By default, the distinguished name for users is of the form:
cn=full name,ou=organization,...,o=base organization,c=country
For example, if a user entry for Billie Holiday is created within the organizational unit Marketing, and the directory’s base DN is o=Ace Industry, c=US, then the DN is:
cn=Billie Holiday,ou=Marketing,o=Ace Industry,c=US
This format can be changed to a user ID (uid)-based distinguished name.
The values on the user form fields are stored as LDAP attributes.
The following table lists the fields and corresponding LDAP attributes that are displayed when creating or editing a new user in the Proxy Server interface.
User Field |
LDAP Attribute |
---|---|
Given Name | |
Surname | |
Full Name | |
User ID | |
Password | |
E-mail Address | |
Title | |
Phone Number |
To create a user entry, read the guidelines outlined in Guidelines for Creating LDAP-based User Entries, then perform the following procedure.
Access the Administration Server and click the Users and Groups tab.
Click the Create User link.
Select the LDAP directory service from the drop-down list and click Select.
Provide the information on the page that displays.
For more information about specific fields, see the online Help.
Also see Directory Server User Entries.
Click Create to create the user entry, or Create and Edit to create the user entry and proceed to the edit page for the entry just created.
A key file is a text file that contains the user’s password in a hashed format and the list of groups to which the user belongs.
Access the Administration Server and click the Users and Groups tab.
Click the Create User link.
Select the key file-based directory service from the drop-down list and click Select.
Type the information on the page that displays, and then click Create User.
For more information about specific fields, see the online Help.
A digest file authentication database stores user and group information in an encrypted form.
Access the Administration Server and click the Users and Groups tab.
Click the Create User link.
Select the digest file-based directory service from the drop-down list and click Select.
Type the information on the page that displays, and then click Create User.
For more information about specific fields, see the online Help.
The same realm string must be specified when creating an ACL that uses Digest authentication using the Proxy Server ACL user interface. For more information, see Setting Access Control.