Previous     Contents     Index          Next     
iPlanet Directory Server Access Management Edition Administration Guide



Chapter 5   Authentication Options


iPlanet Directory Server Access Management Edition (DSAME) provides a framework for authentication, a process which verifies the identities of users accessing applications within an enterprise. Authentication is implemented through plug-ins that validate the user's identity. (This plug-in architecture is described more fully in the iPlanet Directory Server Access Management Edition Programmer's Guide.) The DSAME console is used to set the default values, to register authentication services, to create an organization's authentication template and to enable the service. This chapter provides an overview of the authentication services and instructions for registering them. It contains the following sections:



The Core Authentication Service

Seven different authentication services are provided with DSAME as well as a Core authentication service. The Core authentication service provides overall configuration for the authentication service. Before registering and enabling Anonymous, Certificate-based, LDAP, Membership or RADIUS authentication, Core authentication must be registered and enabled. Chapter 9 "Core Authentication Attributes" contains a detailed listing of the Core attributes.


To Register and Enable the Core Service

  1. Navigate to the navigation pane of the Organization for which the Core service is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

  3. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  4. Select the checkbox for Core Authentication and click Register.

    The Core Authentication service will appear in the navigation pane assuring the administrator that it has been registered.

  5. Click the Core Authentication Properties arrow.

    The message No template available for this service appears in the data pane.

  6. Click Create.

    The Core attributes appear in the data pane. Modify the attributes as necessary. An explanation of the Core attributes can be found in Chapter 9 "Core Authentication Attributes" or by clicking the Documentation link in the upper right hand corner of the DSAME console.

  7. Click Register.

    The Core service has been enabled.



Anonymous Authentication

When this method is enabled, a user can log in to DSAME as an anonymous user. Granting anonymous access means that it can be accessed without providing a user name or password. Anonymous access can be limited to specific types of access (for example, access for read or access for search) or to specific subtrees or individual entries within the directory.


To Register and Enable Anonymous Authentication

You must log in to DSAME as the Organization Administrator or Super Administrator.

  1. Navigate to the navigation pane of the Organization for which Anonymous Authentication is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

    The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the Anonymous Authentication service.

  3. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  4. Select the checkbox for Anonymous Authentication and click Register.

    The Anonymous Authentication service will appear in the navigation pane assuring the administrator that it has been registered.

  5. Click the Anonymous Authentication Properties arrow.

    The message No template available for this service appears in the data pane.

  6. Click Create.

    The Anonymous Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 7 "Anonymous Authentication Attributes" or by clicking the Documentation link in the upper right hand corner of the DSAME console.

  7. Click Save.

    The Anonymous Authentication service has been enabled.


Logging In Using Anonymous Authentication

In order to log in using Anonymous Authentication, the Core Authentication service attribute "Authentication Menu" must be modified to define Anonymous Authentication. This ensures that when the user logs in using http://<hostname>:<port>/amserver/login, they will see the Anonymous Authentication login window.


Note The Default Anonymous User Name attribute value in the Anonymous Authentication service is anonymous. This is the name users use to log in. A default Anonymous User must be created within the organization. The user id should be identical to the user name specified in the Anonymous Authentication attributes.




Certificate-based Authentication


Certificate-based Authentication involves using a personal digital certificate (PDC) to identify and authenticate a user. A PDC can be configured to require a match against a PDC stored in Directory Server, and verification against a Certificate Revocation List.

There are a number of things that need to be accomplished before registering the Certificate-based Authentication service to an organization. First, the iPlanet Web Server that is installed with the DSAME needs to be secured and configured for Certificate-based Authentication. Before enabling the Certificate-based service, see Appendix C, Securing Your Web Server in the iPlanet Directory Server Access Management Edition Installation and Configuration Guide for these initial Web Server configuration steps.


Note Each user that will authenticate using the certificate-based service must request a PDC for their browser. Instructions are different depending upon the browser used. See your browser's documentation for more information.



To Register and Enable Certificate-based Authentication

You must log in to DSAME as the Organization Administrator or Super Administrator.

  1. Navigate to the navigation pane of the Organization for which Certificate-based Authentication is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

    The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the Certificate-based Authentication service.

  3. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  4. Select the checkbox for Certificate-based Authentication and click Register.

    The Certificate-based Authentication service will appear in the navigation pane assuring the administrator that it has been registered.

  5. Click the Certificate-based Authentication Properties arrow.

    The message No template available for this service appears in the data pane.

  6. Click Create.

    The Certificate-based Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 8 "Certificate Authentication Attributes" or by clicking the Documentation link in the upper right hand corner of the DSAME console.

  7. Click Save.


Logging In Using Certificate-based Authentication

In order to log in using Certificate-based Authentication, the Core Authentication service attribute "Authentication Menu" must be modified to define Certificate-based Authentication. This ensures that when the user logs in using http://<hostname>:<port>/amserver/login, they will see the Certificate-based Authentication login window.



LDAP Directory Authentication


With the LDAP Authentication service, when a user logs in, he or she is required to bind to the LDAP Directory Server with a specific user DN and password. If the user provides a user id and password that are in the Directory Server, the user is allowed access to, and is set up with, a valid DSAME session. LDAP Authentication is enabled by default when DSAME is installed. The following instructions are provided in the event that the service is disabled.


To Register and Enable LDAP Authentication

You must log in to DSAME as the Organization Administrator or Super Administrator.

  1. Navigate to the navigation pane of the Organization for which LDAP Authentication is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

    The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the LDAP Authentication service.

  3. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  4. Select the checkbox for LDAP Authentication and click Register.

    The LDAP Authentication service will appear in the navigation pane assuring the administrator that it has been registered.

  5. Click the LDAP Authentication Properties arrow.

    The message No template available for this service appears in the data pane.

  6. Click Create.

    The LDAP Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 10 "LDAP Authentication Attributes" or by clicking the Documentation link in the upper right hand corner of the DSAME console.

  7. Click Save.

    The LDAP Authentication service has been enabled.


Logging In Using LDAP Authentication

In order to log in using LDAP Authentication, the Core Authentication service attribute "Authentication Menu" must be modified to define LDAP Authentication. This ensures that when the user logs in using http://<hostname>:<port>/amserver/login, they will see the LDAP Authentication login window.


Enabling LDAP Authentication Failover

The LDAP authentication attributes include a value field for both a primary and a secondary Directory Server. DSAME will look to the second server for authentication if the primary server becomes unavailable. For more information, see the LDAP attributes "Primary LDAP Server and Port" and "Secondary LDAP Server and Port".



Membership Authentication


Membership authentication is implemented similarly to personalized sites such as my.netscape.com, or mysun.sun.com. When this service is enabled, a user creates an account and personalizes it without the aid of an administrator. With this new account, the user can access it as a registered user. The user can also access the viewer interface, saved on the iPlanet user profile database as authorization data and user preferences.


To Register and Enable Membership Authentication

You must log in to DSAME as the Organization Administrator or Super Administrator.

  1. Navigate to the navigation pane of the Organization for which Membership Authentication is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

    The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the Membership Authentication service.

  3. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  4. Select the checkbox for Membership Authentication and click Register.

    The Membership Authentication service will appear in the navigation pane assuring the administrator that it has been registered.

  5. Click the Membership Authentication Properties arrow.

    The message No template available for this service appears in the data pane.

  6. Click Create.

    The Membership Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 11 "Membership Authentication Attributes" or by selecting the Documentation link in the upper right hand corner of the DSAME console.

  7. Click Save.

    The Membership Authentication service has been enabled.


Logging In Using Membership Authentication

In order to log in using Membership Authentication, the Core Authentication service attribute "Authentication Menu" must be modified to define Membership Authentication. This ensures that when the user logs in using http://<hostname>:<port>/amserver/login, they will see the Membership Authentication login window.



RADIUS Server Authentication


DSAME can be configured to work with a RADIUS server that is already installed. This is useful if there is a legacy RADIUS server being used for authentication in your enterprise. Enabling the RADIUS authentication service is a two-step process.

  1. Configure the RADIUS server.

    For detailed instructions, see the RADIUS server documentation.

  2. Register and enable the RADIUS authentication service.


    Note A user must be created in the DSAME organization using the RADIUS server that matches each user specified when the RADIUS server user file was modified.



To Register and Enable RADIUS Authentication

You must log in to DSAME as the Organization Administrator or Super Administrator.

  1. Navigate to the navigation pane of the Organization for which RADIUS Authentication is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

    The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the RADIUS Authentication service.

  3. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  4. Select the checkbox for RADIUS Authentication and click Register.

    The RADIUS Authentication service will appear in the navigation pane assuring the administrator that it has been registered.

  5. Click the RADIUS Authentication Properties arrow.

    The message No template available for this service appears in the data pane.

  6. Click Create.

    The RADIUS Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 12 "RADIUS Authentication Attributes" or by selecting the Documentation link in the upper right hand corner of the DSAME Administration Console.

  7. Click Save.

    The RADIUS Authentication service has been enabled.


Logging In Using RADIUS Authentication

In order to log in using RADIUS Authentication, the Core Authentication service attribute "Authentication Menu" must be modified to define RADIUS Authentication. This ensures that when the user logs in using http://<hostname>:<port>/amserver/login, they will see the RADIUS Authentication login window.



SafeWord Authentication


DSAME can be configured to handle SafeWord Authentication requests to Secure Computing's SafeWord authentication server. DSAME provides the client portion of SafeWord authentication. The SafeWord server may exist on the system on which DSAME is installed, or on a separate system.


Note For this release, the SafeWord Authentication service is only supported on the Solaris 8 platform.



To Register and Enable SafeWord Authentication

You must log in to DSAME as the Organization Administrator or Super Administrator.

  1. Navigate to the navigation pane of the Organization for which SafeWord Authentication is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

    The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the SafeWord Authentication service.

  3. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  4. Select the checkbox for SafeWord Authentication and click Register.

    The SafeWord Authentication service will appear in the navigation pane, assuring the administrator that it has been registered.

  5. Click the SafeWord Authentication Properties arrow.

    The message No template available for this service appears in the data pane.

  6. Click Create.

    The SafeWord Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 13 "SafeWord Authentication Attributes," or by clicking the Documentation link on the upper righthand corner of the DSAME Console.

  7. Click Save.

    The SafeWord Authentication service has been enabled.



Unix Authentication

DSAME can be configured to process authentication requests against Unix userids and passwords known to the (Solaris) system on which DSAME is installed. While there is only one organizational attribute, and a few global attributes for Unix authentication, there are some system-oriented considerations.

In order to authenticate locally-administered userids (see admintool (1M)), root access is required. If DSAME is installed to run as nobody, or a userid other than root, then the <install_dir>/SUNWam/bin/doUnix process must still execute as root. The passwd entry in the /etc/nsswitch.conf file determines whether the /etc/passwd and /etc/shadow files, or NIS are consulted for authentication.

Unix Authentication makes use of an authentication "helper", which is a separate process from the main DSAME process. Upon startup, this helper listens on a port for configuration information. There is only one Unix helper per DSAME server to serve all of its organizations.


To Register and Enable Unix Authentication

You must log in to the DSAME as Super Administrator for the following steps.

  1. Navigate to the Navigation pane and select the Service Management View.

  2. Click on the Unix Authentication Properties arrow in the Service Name list.

    Several Global and one Organization attributes are displayed. Because one Unix helper serves all of the DSAME server's organizations, most of the Unix attributes are global. An explanation of these attributes can be found in Chapter 14 "Unix Authentication Attributes," or by clicking the Documentation link in the upper righthand corner of the DSAME console.

  3. Click Save to save the new values for the attributes.

You may log in to the DSAME as the Organization Administrator to enable Unix Authentication for an organization.

  1. Navigate to the navigation pane of the Organization for which Unix Authentication is to be registered.

    Use the Show menu in the navigation pane and the Location path in the location pane.

  2. Choose Services from the Show menu.

The Core service, if already registered, displays in the Navigation pane. If it is not already registered, it can be done concurrently with the Unix Authentication service.

  1. Click Register in the navigation pane.

    A list of available services displays in the data pane.

  2. Select the checkbox for Unix Authentication and click Register.

    The Unix Authentication service will appear in the Navigation pane, assuring the administrator that it has been registered.

  3. Click the Unix Authentication Properties arrow.

    The message No template available for this service appears in the date pane.

  4. Click Create.

    The Unix Authentication organization attribute appears in the data pane. Modify the Authentication Level attribute as necessary. An explanation of this attribute can be found in Chapter 14 "Unix Authentication Attributes," or by clicking the Documentation link in the upper righthand corner of the DSAME console.

  5. Click Save.

    The Unix Authentication service has been enabled.


Previous     Contents     Index          Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated May 09, 2002