Previous      Contents      Index      Next
Sun Java System Access Manager 6 2005Q1 Administration Guide

Chapter 18  
Active Directory Authentication Attributes

The Active Directory Authentication attributes are organization attributes. The values applied to them under Service Configuration become the default values for the Active Directory Authentication template. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the organization’s administrator. Organization attributes are not inherited by entries in the organization. The Active Directory Authentication attributes are:

Primary Active Directory Server
Secondary Active Directory Server
DN to Start User Search
DN for Root User Bind
Password for Root User Bind
Password For Root User Bind (Confirm)
Active Directory Attribute Used to Retrieve User Profile
Active Directory Attributes Used to Search for a User to be Authenticated
User Search Filter
Search Scope
Enable SSL Access to Active Directory Server
Return User DN To Authenticate
Active Directory Server Check Interval
User Creation Attributes List
Authentication Level

Primary Active Directory Server

This field specifies the host name and port number of the primary Active Directory server specified during Access Manager installation. This is the first server contacted for Active Directory authentication. The format is hostname:port. (If there is no port number, assume 389.).

If you have Access Manager deployed with multiple domains, you can specify the communication link between specific instances of Access Manager and Directory Server in the following format (multiple entries must be prefixed by the local server name):

local_servername|server:port local_servername2|server2:port2 ...

For example, if you have two Access Manager instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:

L1-machine1-IS.example.com|L1-machine1-DS.example.com:389 L2-machine2-IS.example.com|L2-machine2-DS.example.com:389

Secondary Active Directory Server

This field specifies the host name and port number of a secondary Active Directory server available to the Access Manager platform. If the primary Active Directory server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, Access Manager will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.

Caution	When authenticating users from a Directory Server that is remote from the Access Manager enterprise, it is important that both the Primary and Secondary Active Directory Server Ports have values. The value for one Directory Server location can be used for both fields.

DN to Start User Search

This field specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists.

Multiple entries must be prefixed by the local server name. The format is as follows:

servername|search dn

For multiple entries

servername1|search dn servername2|search dn servername3|search dn...

If multiple users are found for the same search, authentication will fail.

DN for Root User Bind

This field specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary Active Directory Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default value is amLDAPuser. Any valid DN will be recognized.

Make sure that password is correct before you logout, because if it is incorrect, you will be locked out. If this should occur, you can login with the super user DN in the com.iplanet.authentication.super.user property in the AMConfig.Properties file. By default, this the amAdmin account with which you would normally log in, although you will use the full DN. For example:

uid_amAdmin,ou=People,AccessManager-base

Password for Root User Bind

This field carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator’s valid Active Directory password will be recognized.

Password For Root User Bind (Confirm)

Confirmation of the password.

Active Directory Attribute Used to Retrieve User Profile

After successful authentication by a user, the user’s profile is retrieved. The value of this attribute is used to perform the search. The field specifies the Active Directory attribute to use. By default, Access Manager assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname)specify the attribute name in this field.

Note	The user search filter will be a combination of the Search Filter attribute and the Active Directory Attribute Used to Retrieve User Profile.

Active Directory Attributes Used to Search for a User to be Authenticated

This field lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user’s entry. For example, if this field is set to uid, employeenumber and mail, the user could authenticate with any of these names.

User Search Filter

This field specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Entry Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.

Search Scope

This menu indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in the attribute DN to Start User Search. The default value is SUBTREE. One of the following choices can be selected from the list:

OBJECT - Searches only the specified node
ONELEVEL - Searches at the level of the specified node and one level down
SUBTREE - Search all entries at and below the specified node

Caution	Users from suborganizations may be able to login even if the sub organization’s status is inactive. To avoid this, make sure that the Search Scope and the Base DN are set to the specific organization to which the user belongs.

Enable SSL Access to Active Directory Server

This option enables SSL access to the Directory Server specified in the Primary and Secondary Active Directory Server and Port field. By default, this is not enabled and the SSL protocol will not be used to access the Directory Server. However, if this attribute is enabled, you can bind to a non-SSL server.

If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that Access Manager is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol

Return User DN To Authenticate

When the Access Manager directory is the same as the directory configured for Active Directory, this option may be enabled. If enabled, this option allows the Active Directory authentication module to return the DN instead of the userId, and no search is necessary. Normally, an authentication module returns only the userId, and the authentication service searches for the user in the local Access Manager Active Directory. If an external Active Directory directory is used, this option is typically not enabled.

Active Directory Server Check Interval

This attribute is used for Active Directory Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the Active Directory primary server is running.

User Creation Attributes List

This attribute is used by the Active Directory authentication module when the Active Directory server is configured as an external Active Directory server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:

attr1|externalattr1

attr2|externalattr2

When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profile attribute (in the Core Authentication module) is set to “Dynamically Created” and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.

Note	If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Auth Level. See “Default Authentication Level” on page 306 for details.

Previous      Contents      Index      Next

---

Part No: 817-7647-11.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.