Previous
Contents
Index
Next
|
| Sun ONE Identity Server Administration Guide |
Chapter 19 Membership Authentication Attributes
The Membership Authentication attributes are organization attributes. The values applied to them under Service Configuration become the default values for the Membership Authentication template. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the organization's administrator. Organization attributes are not inherited by entries in the subtrees of the organization. The Membership Authentication attributes are:
Minimum Password Length
User Status After Registration
Secondary LDAP Server and Port
Minimum Password Length
This field specifies the minimum number of characters required for a password set during self-registration. The default value is 8.
If this value is changed, it should also be changed in the registration and error text in the following file:
<IdentitySever_root>/locale/amAuthMembership.properties (PasswdMinChars entry)
Default User Roles
This field specifies the roles assigned to new users whose profiles are created through self-registration. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.
Note The role specified must be under the organization for which authentication is being configured.
User Status After Registration
This menu specifies whether services are immediately made available to a user who has self-registered. The default value is Active and services are available to the new user. By selecting Inactive, the administrator chooses to make no services available to a new user.
Primary LDAP Server and Port
This field specifies the host name and port number of the primary Directory Server. This is the first server searched for membership authentication. The default value is the Directory Server URL specified during Identity Server installation. The format is hostname:port. If you use multiple entries, the entries must be prefixed by the local server name.
Secondary LDAP Server and Port
This field specifies the host name and port number of the secondary Directory Server. If the primary server does not respond to a request for authentication, this server would then be contacted. There is no default value for this field. The format is hostname:port.If you use multiple entries, the entries must be prefixed by the local server name.
DN to Start User Search
This field specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If you use multiple entries, the entries must be prefixed by the local server name.
Note If multiple users match the same search, authentication will fail.
DN for Root User bind
This field specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. There is no default value. Any valid DN will be recognized.
Password for Root User Bind
This field carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid LDAP password will be recognized.
Password for Root User Bind (Confirm)
Confirmation of the password.
User Naming Attribute
This field specifies the attribute used for the naming convention of user entries. By default, Identity Server assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
User Entry Search Attributes
This field lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber and mail, the user could authenticate with any of these names.
User Search Filter
This field specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Search Scope
This menu indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in the attribute "DN to Start User Search". The default value is SUBTREE. One of the following choices can be selected from the list:
OBJECT — Searches only the specified node
ONELEVEL — Searches at the level of the specified node and one level down
SUBTREE — Search all entries at and below the specified node
Enable SSL to LDAP Server
This option enables SSL access to the Directory Server specified in the Primary and Secondary LDAP Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
Return User DN To Auth
When the Identity Server directory is the same as the directory configured for LDAP, this option may be enabled. If enabled, this option allows the LDAP authentication module to return the DN instead of the userId, and no search is necessary. Normally, an authentication module returns only the userId, and the authentication service searches for the user in the local Identity Server LDAP. If an external LDAP directory is used, this option is typically not enabled.
Authentication Level
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. (The value in this attribute is not specifically used by Identity Server but by any external application that may chose to use it.) If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0, the lowest authentication level.
Note If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Auth Level. See "Default Auth Level" for details.
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated December 04, 2002