Appendix B       iPlanet Portal Server Attributes


The following tables represent attribute names and descriptions for the indicated component in the table title.

Platform-wide Authentication Attributes

---

Table B-1, lists the attributes that are platform-wide. You find them by clicking the Manage Platform Settings link on the iPlanet Portal Server page, then the Profiles->Authentication link on the right side of the window. No platform-wide attributes can be overridden at the domain or role level.

Platform-wide Authentication Attributes  

Attribute	What it does
UNIX Configuration Port	Port on which the UNIX authentication helper receives its configuration information. Must also be specified in the UNIX helper.port /etc/opt/SUNWips/ platform.conf.
UNIX Helper's Port	Port on which the UNIX authentication helper listens for UNIX authentication requests.
UNIX Timeout	Number of minutes a UNIX authentication request has to finish a given authentication session.
UNIX Threads	Maximum number of concurrent UNIX authentication requests permitted.
RADIUS Configuration Port	Port on which the RADIUS authentication helper receives its configuration information. Must also be specified in the radiusHelper.port entry in /etc/opt/SUNWips/ platform.conf.
RADIUS Helper's Port	Port on which the RADIUS authentication helper listens for RADIUS authentication requests.
RADIUS Timeout	Number of minutes a RADIUS authentication request has to finish a given authentication session.
RADIUS Threads	Maximum number of concurrent RADIUS authentication requests permitted.
S/Key Maximum Passphrases Allows	A hard maximum on the number of S/Key passphrases that can be generated at one time (400 per user).
S/Key Configuration Port	Port on which the S/Key authentication helper receives its configuration information. Must also be specified in the skeyHelper.port entry in /etc/opt/SUNWips/ platform.conf.
S/Key Helper's Port	Port on which the S/Key authentication helper listens for S/Key authentication requests.
S/Key Timeout	Number of minutes an S/Key authentication request has to finish a given authentication session.
S/Key Threads	Number of concurrent authentication requests permitted.
SecurID Configuration Port	Port on which the SecurID authentication helper receives its configuration information. Must also be specified in the securidHelper.port entry in /etc/opt/SUNWips/ platform.conf.
SecurID Helper's Port	Port on which the SecurID authentication helper listens for SecurID authentication requests.
SecurID Time-out	Number of minutes a SecurID authentication request has to finish a given authentication session.
SecurID Threads	Maximum number of concurrent authentication requests permitted.
SafeWord Configuration Port	Port on which the SafeWord authentication receives its configuration information. Must also be specified in the safewordHelper.port entry in /etc/opt/SUNWips/ platform.conf.
SafeWord Helper's Port	Port on which the SafeWord authentication helper listens for SafeWord authentication requests.
SafeWord Timeout	Number of minutes a SafeWord authentication request has to finish a given authentication session.
SafeWord Threads	Maximum number of concurrent authentication requests permitted.

Super Administrator Authentication Attributes

---

Table B-2 lists authentication attributes for the Super Administrator profile. These may be found by clicking the links in the order specified:

• Manage Administrators> (domain of interest)

• Admin Role (under Super Admins)

• Authentication.

• Click the Show Advanced Options button at the bottom.

  
  

  Super Administrator Role Authentication Attributes 

  
  
  

  Attribute	What it does
  Admin authentication	Specifies type of authentication being used by Super Administrator.
  Authentication modules	Specifies location of class file corresponding to each authentication module.
  Default user role	Default role used for a new user. When a user authenticates but does not have a user profile, this is the role they are assigned. Note that this assumes that iwtAuth-requiresProfile is set to false.
  Domain URLs	List of URLs a user may use to login to the default iPS domain.
  Pluggable authentication page generator class	Class used by pluggable authentication modules to generate authentication screens.
  Authentication Requires Profile	Specifies whether a profile for a user is required to login.

Domain Level Authentication Attributes

---

Some of the authentication attributes are set only at the domain level. B-3 lists the attributes that are domain-wide. Domain-wide attributes, can be customized by either a Domain Administrator or the Super Administrator.

The links used to get to the domain-wide authentication attributes depend upon whether you are a Super Administrator or a Domain Administrator.

If you are a Super Administrator:

1. Click Manage Domains.

2. Click the domain name.

3. Click the Authentication link (under Profiles).

If you are a Domain Administrator:

1. Select Manage Roles and Users.

2. Select the proper Authentication module.

3. Change the attributes as needed.

   
   

   Domain-wide Authentication Attributes 

   
   
   

   Attribute	What it does	Comment
   Authentication Requires Profile	Requires a user profile to authenticate; may be used to deny access to users who do not already have profiles set.	Authentication Profile
   Prompt for userid before authentication	Any user trying to authenticate from a specific domain gets the authenticators configured for that domain. You may instead want to ask for a userid and look up the profile for the user's authentication type(s).	Advanced Option of User Profile
   Authentication Menu	Shows (highlighted) the modules enabled for this domain.	Authentication Profile
   Trusted proxy feature	Enable or disable trusted proxy feature for a user.	Advanced Options of Platform Profile
   URL matching domain	List of strings a user may use to signal authentication which domain they are authenticating to.	Authentication Profile
   Default user role	When a user authenticates but does not have a user profile, this is the role they are assigned to.	Authentication Profile
   RADIUS Server1	First RADIUS server (hostname or IP address) for this domain.	Radius Profile (under Authentication branch)
   RADIUS Server2	Second RADIUS server (hostname or IP address) for this domain. Contacted if RADIUS Server1 does not answer. Optional.	Radius Profile (under Authentication branch)
   RADIUS Shared Secret	The RADIUS shared secret assigned to the iPlanet Portal Server Server (also configured in the RADIUS server).	Radius Profile (under Authentication branch)
   RADIUS Server's Port	The port that the RADIUS Server uses to listen for authentication requests. The most common is 1645 (default), followed by 1812.	Radius Profile (under Authentication branch)
   SafeWord Logging Level	The SafeWord logging level (default 0 [none]). Other values: 1 (INFO), 2(ERROR), 4 (DEBUG), 5 (ALL)	SafeWord Profile under Authentication Branch
   SafeWord Log Path	The SafeWord log path. Default is /var/opt/SUNWips/debug/auth/safehelper.log, if logging level is non-zero.	SafeWord Profile under Authentication Branch
   SafeWord Server Identifier	An index indicating which SafeWord server to use for this domain. Set by the system during configuration time.	SafeWord Profile under Authentication Branch
   SafeWord Server Hostname	Host name of the SafeWord server serving this domain.	SafeWord Profile under Authentication Branch
   SafeWord Server's Port	The port on which the SafeWord server listens (default 7482).	SafeWord Profile under Authentication Branch
   SafeWord System Name	The SafeWord System Name (default STANDARD).	SafeWord Profile under Authentication Branch
   SecurID User Configuration Path	Path for the ACE/Client API to find the user configuration information (default /opt/ace/prog).	SecurID Profile under Authentication Branch
   SecurID Server Identifier (Local)	An index indicating which ACE/Server to use for this domain. Set during configuration time.	SecurID Profile under Authentication Branch
   SecurID Server Identifier Name	Name to associate with the SecurID Server Identifier (default Server000).	SecurID Profile under Authentication Branch
   SecurID Server's Configuration Path	Path for the ACE/Client API to find the ACE/Server configuration file, sdconf.rec (default /opt/ace/data).	SecurID Profile under Authentication Branch
   S/Key Maximum Passphrases to Generate	The maximum number of S/Key passphrases this user may create (default 100).	S/Key Profile under Authentication Branch
   User's default URL	When a user is authenticated, they are redirected to this page. The default is the iPlanet Portal Server desktop.	Advanced Options in User Profile.
   User login state	Allows you to prevent a specific user from authenticating. Note that if a user already has a valid session, changing this attribute will not take effect until the next session. To kick the user off now, go to Manage Sessions in the menu side of the Administration Console and destroy the session.	User Profile
   LDAP DN to start search	LDAP Distinguished Name. For example, for sun.com: dc=sun, dc=com	Ldap Profile under Authentication Branch
   LDAP DN for root user bind	See the section, Configuring LDAP Authentication.	Ldap Profile under Authentication Branch
   LDAP Password for root user bind	See the section, Configuring LDAP Authentication.	Ldap Profile under Authentication Branch
   LDAP Search filter for userId	See the section, Configuring LDAP Authentication.	Ldap Profile under Authentication Branch
   LDAP scope for the userId search	See the section, Configuring LDAP Authentication.	Ldap Profile under Authentication Branch
   Enable SSL to LDAP server	See the section, Configuring LDAP Authentication.	Ldap Profile under Authentication Branch
   Windows NT Primary domain	Name of the NT primary domain	NT Profile under Authentication Branch
   Windows NT Authentication server	Listener of the NT authentication server.	NT Profile under Authentication Branch