Chapter 9
Core Authentication Attributes
The Core Authentication service is the basic service for the Anonymous, Certificate, LDAP, Membership, Safeword, Unix and RADIUS authentication services as well as any custom authentication service created with the Authentication SPI. Core authentication must be configured as a service for each organization that wishes to use any form of authentication. The Core Authentication attributes consist of global and organization attributes.The values applied to the global attributes are applied across the iPlanet Access Management Edition (DSAME) configuration and are inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the DSAME application.) The values applied to the organization attributes under Service Management become the default values for the Core Authentication template. A template is created for each organization when the organization registers for the core service. The default values can be changed after registration by the organization's administrator. Organization attributes are not inherited by entries in the organization. The Core Authentication attributes are separated into:
Global Attributes
The organization attributes in the Core Authentication service are:
Pluggable Auth Module Classes
This field specifies the Java classes of the authentication services available to any organization configured within the DSAME platform. By default, this includes LDAP, SafeWord, Anonymous, Application, Membership, Unix, Certification, and RADIUS. DSAME also includes a public SPI that can be used to add other authentication services. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service.
Pluggable Auth Page Generator Classes
This attribute specifies the default authentication page generator class, which generates HTML. If a different format page generator is added, its full classname must be specified.
LDAP Connection Pool Size
This attribute specifies the minimum and maximum connection pool to be used on a specific server and port. This attribute is for LDAP and Membership authentication services only. The format is as follows:
-
server:port:min:max
|
Note
|
This connection pool is different than the SDK connection pool configured in serverconfig.xml.
|
LDAP Connection Default Pool Size
This attribute sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will be used from LDAP Connection Default Pool Size.
Organization Attributes
The organization attributes in the Core Authentication service are:
Authentication Menu
This list specifies the default authentication services available to the organization. Each administrator can choose the type of authentication for their specific organization. If one service is chosen, that module's login page is immediately displayed. If multiple services are selected, a list of possible authentication modules is presented to the users at login. (Multiple services provide flexibility, but users must be sure that their login setting is appropriate for the selected authentication module.) The default authentication is LDAP. The authentication services included with DSAME are:
Anonymous
Cert
LDAP
Membership
RADIUS
SafeWord
Unix
|
Note
|
Currently, the SafeWord authentication service is only supported on the Solaris platform.
The Administrator must create and notify the core and authentication module templates in a created organization for that organization to function properly.
|
Dynamic User Profile Creation
This option specifies whether to create a profile dynamically when a user authenticates successfully but no user profile is found. (User profiles would be created in the location specified in "People Container For All Users".) If security considerations require a controlled user population, do not enable this feature. By default, dynamic user profile creation is not enabled.
Organization URL Mapping
This list determines a user's login organization based on the host:URI portion of the URL used for login. When a user logs in, the authentication service takes the host:URI portion of the URL and checks it against strings in this list. Each organization has its own URL mapping list for matching. The first match found sets the organization for the user. For example, if the value of Organization URL Mapping is engr and a user logs in using the URL:
http://hostname:port/amserver/login?module=<authModuleName>&org=engr
The login organization of the user is determined to be engr. If this value is not specified, the user's organization is assumed to be the default organization specified during DSAME installation. (This option can also be used to map simple URLs for hosted environments; for instance, http://orgname.com/amserver/login, can be mapped to more difficult URLs like that listed above. This simplifies the login URL that a user must remember.)
|
Note
|
The Organization URL Mapping value must be unique across all organizations in the DSAME platform. Therefore, this value should be configured at the organization level (in User Management view after the service has been registered) only. At root level (in Service Management view), this field should be left empty.
|
Admin Authenticator
This menu specifies the authentication service for administrators only. An administrator is a user who needs access to the DSAME console. This attribute can be used if the authentication method for administrators needs to be different from the method for end users. The default value is LDAP. The only authentication choices are Cert, SafeWord, RADIUS, and Unix.
Dynamic User Profile Creation Default Roles
This field specifies the roles assigned to a new user whose profiles are created through the feature "Dynamic User Profile Creation"". There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.
|
Note
|
The role specified must be under the organization for which authentication is being configured.
|
Authentication Chaining Modules
This field specifies additional services a user must authenticate past in order to login. For example, if the Authentication Menu attribute is set to LDAP and the Authentication Chaining Module attribute is set to RADIUS, a user must authenticate through LDAP and then RADIUS to login. There is no default value. Two or more of the following services can be specified in the order you would like them to be implemented:
Anonymous
Cert
LDAP
Membership
RADIUS
SafeWord
Unix
|
Note
|
The Authentication Chaining field is case sensitive. Type the module names exactly as shown above, using single spaces to delimit the module names.
|
Authentication Chaining Enabled
This option activates authentication chaining as described in "Authentication Chaining Modules". If authentication chaining is enabled but no modules are specified in the Authentication Chaining Modules field, the authentication attempt will pass. The default value is that authentication chaining is not enabled.
Persistent Cookie Mode
This option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Persistent Cookie Mode. When Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires. The expiration time is specified in Persistent Cookie Max Time (seconds). The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies.
|
Note
|
A persistent cookie must be explicitly requested by the client using the iDSPCookie=yes parameter in the login URL. Once the persistent cookie has been set, the iDSPCookie parameter expires.
|
Persistent Cookie Max Time (seconds)
This field specifies the interval after which a persistent cookie expires. (Persistent Cookie Mode must be enabled by selecting its checkbox.) The interval begins when the user's session has been successfully authenticated. The default value is 2147483 (time in seconds). The field will take any integer value between 0 and 2147483.
Non Interactive Modules
This field specifies the authentication services that can be used in addition to those defined in "Authentication Menu". These modules do not appear in the authentication menu presented to users, but a user can choose to use a non-interactive authentication service by directly entering the URL for the service.
For example, if Cert is one of the selected non-interactive authentication services, a user can login to DSAME using the following URL:
http://hostname:port/<DEPLOY_URI>/login?module=Cert
If a user tries to login to DSAME using an authentication service not listed in either Authentication Menu or Non-Interactive Modules, the Authentication Module Denied page displays. The default non-interactive module value is Cert. The administrator can select one or more services from the list:
Anonymous
Cert
LDAP
Membership
RADIUS
SafeWord
Unix
|
Note
|
Currently, the SafeWord authentication service is only supported on the Solaris platform.
|
User's Default Redirect URL
This field specifies the URL to which users are redirected after successful authentication. The default value is the DSAME console URL, amconsole/base/AMAdminFrame. The field will take any valid URL.
User Based Auth
This option allows different authentication services to be configured for individual users within an organization. When logging on to the DSAME server, a user is first presented with a screen to submit their user ID. Their user profile is then retrieved and the individual authentication method assigned to them is called. By default, user-based authentication is not enabled.
People Container For All Users
After successful authentication by a user, their profile is retrieved. The value in this field specifies where to search for the profile. Generally, this value will be the DN of the default People Container. All user entries added to an organization are automatically added to the organization's default People Container. The default value is ou=People, and generally, this is completed with the organization name(s) and root suffix. The field will take a valid DN for any organizational unit.
|
Note
|
Authentication searches for a user profile by:
Searching under the default People Container, then
Searching under the default organization, then
Searching for the user in the default organization using the Alias Search Attribute Name attribute.
The final search is for SSO cases where the user name used to authenticate may not be the naming attribute in the profile. For example, user may authenticate using Safeword ID of jn10191, but their profile is uid=jamie.
|
Alias Search Attribute Name
After successful authentication by a user, their profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute, specified in "User Naming Attribute", fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field will take any valid LDAP attribute (for example, cn).
Default Auth Level
The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level.
The authentication level should be set within the organization's specific authentication template. The Default Auth Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific organization's authentication template. The Default Auth Level default value is 0, the lowest authentication level. (The value in this attribute is not used by DSAME but by any external application that may chose to use it.)
User Naming Attribute
After successful authentication by a user, their profile is retrieved. The value of this attribute specifies the LDAP attribute to use for the search. By default, DSAME assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Pluggable Auth Page Generator Class
This field specifies the Java class that generates the login page for users. The default class specified is com.iplanet.authentication.spi.htmLLoginWorker. The default can be overridden by specifying another value which includes the full name (including package name) of the Java class that will generate the default login page.
Default Auth Locale
This field specifies the default language subtype to be used by the authentication service. The default value is en_US. A listing of valid language subtypes can be found in Table 9-1.
|
Note
|
In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates. See the iPlanet Directory Server Access Management Edition Programmer's Guide for more information.
|
Table 9-1 Supported Language Locales
|
Language Tag
|
Language
|
|
af
|
Afrikaans
|
|
be
|
Byelorussian
|
|
bg
|
Bulgarian
|
|
ca
|
Catalan
|
|
cs
|
Czechoslovakian
|
|
da
|
Danish
|
|
de
|
German
|
|
el
|
Greek
|
|
en
|
English
|
|
es
|
Spanish
|
|
eu
|
Basque
|
|
fi
|
Finnish
|
|
fo
|
Faroese
|
|
fr
|
French
|
|
ga
|
Irish
|
|
gl
|
Galician
|
|
hr
|
Croatian
|
|
hu
|
Hungarian
|
|
id
|
Indonesian
|
|
is
|
Icelandic
|
|
it
|
Italian
|
|
ja
|
Japanese
|
|
ko
|
Korean
|
|
nl
|
Dutch
|
|
no
|
Norwegian
|
|
pl
|
Polish
|
|
pt
|
Portuguese
|
|
ro
|
Romanian
|
|
ru
|
Russian
|
|
sk
|
Slovakian
|
|
sl
|
Slovenian
|
|
sq
|
Albanian
|
|
sr
|
Serbian
|
|
sv
|
Swedish
|
|
tr
|
Turkish
|
|
uk
|
Ukrainian
|
|
zh
|
Chinese
|
Login Failure Lockout Mode
This feature specifies whether to disallow a user to re-authenticate (lockout) if that user has initially failed to authenticate. Selecting this attribute will enable the lockout. By default, the lockout feature is not enabled.
Login Failure Lockout Duration (minutes)
This attribute defines (in minutes) the duration that a user will not be allowed to attempt to re-authenticate, if a lockout has occurred.
If this attribute value is set to 0, and Login Failure Lockout Mode is enabled, the user will be locked out by setting the Lockout Attribute Name in their entry to Lockout Attribute Value.
Login Failure Lockout Count
This attribute defines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval (minutes), before being locked out.
For example, if Login Failure Lockout Count is set to 5, and Login Failure Lockout Interval (minutes) is set to 5, then a user has five chanced within five minutes to authenticate before being locked out.
Login Failure Lockout Interval (minutes)
This attribute defines (in minutes) the amount of time in which the number of authentication attempts (as defined in Login Failure Lockout Count) can be completed, before a user is locked out.
For example, if Login Failure Lockout Count is set to 5, and Login Failure Lockout Interval (minutes) is set to 5, then a user has five chanced within five minutes to authenticate before being locked out.
Email Address to Send Lockout Notification
This attribute specifies an email address that will receive notification if a user lockout occurs.
Warn User After N Failure
This attribute specifies the number of authentication failures that can occur before DSAME sends a warning message that the user will be locked out.
Lockout Attribute Name
This attribute contains the ientuserstaus value that is set in the Lockout Attribute Value attribute. If a user is locked out, and the Login Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to authenticate.
Lockout Attribute Value
This attribute specifies the inetuserstatus value (contained in Lockout Attribute Name) of the user status as either active or inactive. If a user is locked out, and the Login Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to authenticate.