1. Security Guide
  2. Configuring the Shared Database Account

Configuring the Shared Database Account

You can configure your authentication system so that a designated directory entry contains a database account that is shared by many users; this is the shared database account. The shared database account option can be implemented in the following authentication strategies:

  • Security adapter authentication: LDAP, custom (not database authentication)

  • Web SSO authentication

By default, the shared database account option is not implemented, and each user’s database account exists in an attribute of that user’s record in the directory. Because all externally authenticated users share one or a few database accounts, the same credentials are duplicated many times. If those credentials must be changed, then you must edit them for every user. By implementing a shared credential, you can reduce directory administration.

The shared database account option can be specified for the LDAP security adapter as follows:

  • The shared database account credentials can be specified in an attribute of the shared database account record in the directory. Database credentials are retrieved from the shared database account if they are available to be extracted. If database credentials are not available from the shared database account, then they are instead retrieved from the user. For information, see Storing Shared Database Account Credentials as Directory Attributes.

  • The shared database account credentials can be specified as profile parameters (Shared DB User Name and Shared DB Password) for the LDAP Security Adapter profiles. If you want to implement a shared database account, then it is recommended that you specify database credentials as profile parameters. For information, see Storing Shared Database Account Credentials as Profile Parameters.

When storing database credentials in a directory attribute, both the user name and password are stored as plain text, even if you implement database credentials password hashing (in this case the hashed password is maintained in the database, while an unhashed version of the password is stored in the directory). Specifying database credentials as profile parameters avoids having to store database credentials as plain text in the directory.