The following sections contain configuration templates for the
SSXLoginModule organized by authorization
type.
The security definitions for authorization type OS are managed by the local operating system.
[SSX_CONFIGURATION]
# This is a sample properties file for the case
# when authType is OS and the user database is
# the local operating system -
# On Unix Systems it is using PAM authentication
# On Windows a local LogonUser()
# Specifies the authentication type.
# Is Required: Yes
# Valid values: {"OS", "TEXT", "LDAP", "ADSI"}
# Default Value: None
authType=OS
# Specifies the explicit path of the privileged daemon process.
# Specify this parameter -
# if the sagssxauthd2 executable file is not in the current directory.
# Valid value is the valid path to the sagssxauthd2 module.
# Default Value: None
# Note: UNIX only.
##authDaemonPath
# Specify a default group name here to be returned
# with any of the group results that are returned by the repository manager.
# A valid value is any valid group name.
# Default Value: None
# Optional.
##defaultGroup
# If this parameter is specified, its value is used at authentication time
# when domain name is not specified by the user.
# If a domain name is specified, the value of this parameter is not used.
# A valid value is any valid domain name.
# Default Value: None
# Optional.
##defaultDomain
# Specifies how to access data.
# Valid values are:
# o true - Access is under the account of the running process.
# o false - Access is under the impersonated user ID of the logged on user.
# Default Value: FALSE
# Note: Windows only.
# Optional.
##noImpersonation
# Specifies the local machine name (on which the user is authenticated).
# The machine name is added before users and groups;
# for example,machine_name\user.
# Valid values are:
# o true - If set to TRUE (and there is no domain field), you are authenticated against the local machine only.
# o false - You are authenticated on the domain that you logged on.
# Default Value: FALSE
# Optional.
##unixAddMachineName
# Specifies the log level.
# Is Required: No
# Valid values:
# 0 - No logging
# Min: 1
# Max: 6
# Default Value: None
##nativeLogLevel=0
# Specifies the log file.
# Is Required: No
# Valid values:
# fully qualified file name
# Default Value: None
##nativeLogFile=SAGSSXCLIENTA_SSX.LOG
[SSX_CONFIGURATION-END]
The security definitions for authorization type TEXT are stored in a text file. The definitions can either be database-specific or be shared by multiple databases.
[SSX_CONFIGURATION]
# This is a sample properties file for the case
# when authType is TEXT and the user database is
# an SAG Internal User Repository
# created by the ssxtxtpasswd utility
# Specifies the authentication type.
# Is Required: Yes
# Valid values: {"OS", "TEXT", "LDAP", "ADSI"}
# Default Value: None
authType=TEXT
# Specifies the internal repository file
# which has been created with ssxtxtpasswd utility
# Is Required: No
# Valid values:
# fully qualified file name
# Default Value: None
internalRepository=<fullpath>/<filename>.<ext>
# Specifies the log level.
# Is Required: No
# Valid values:
# 0 - No logging
# Min: 1
# Max: 6
# Default Value: None
##nativeLogLevel=0
# Specifies the log file.
# Is Required: No
# Valid values:
# fully qualified file name
# No default value
##nativeLogFile=SAGSSXCLIENTA_SSX.LOG
[SSX_CONFIGURATION-END]
Further examples:
You can create and/or modify internal user repository files with the
ssxtxtpasswd tool.
To start the ssxtxtpasswd tool, you use a command prompt.
When you start the tool, you enter a user name and a password which are then
encrypted (SHA512 and Base64) and provided in the result text file. The tool
adds new or replaces existing user credentials in the text file.
Note:
When you enter a user name, you can use only digits, Latin letters,
and the following characters: ! ( ) - . ? [ ] _ ~ . When you enter a password,
you can use only digits, Latin letters, and the following characters:
!"#$%&'()*+,-./:;<=>?[\]^_`{|}~.
Tool to create or update an entry in the SSX text file based
user repository.
Usage: ssxtxtpasswd [-f filename] [-c] [-p password] [-d | -e] userId
Use "-c" to create a new file.
Usually, the file should exist and user entries are
replaced/added.
Use "-p" to provide the password on the command line instead
via an extra prompt.
Use "-d" to remove the specified user entry from the text file.
Use "-e" to check, whether the userId is already stored in the text file.
Note: The password usually will be read via a non-echo command input.
When no filename is specified, a default of "ssx_user" is assumed.
ssxtxtpasswd -f SAGInternalUserRepository.txt -c -p mypsw myuid Hash: bOEOAPEEEJBKv+4zOELiYcFqY7qFhlLZz1ha7Ztf7j/drJHGy2ML0LXEu/kX7TD52Aj7XfwiZ+vpIl9DqRbVkA== User entry for "myuid" successfully added
* * * SAG Internal User Repository * version:3.0 * user:myuid:$6a$bOEOAPEEEJBKv+4zOELiYcFqY7qFhlLZz1ha7Ztf7j/drJHGy2ML0LXEu/kX7TD52Aj7XfwiZ+vpIl9DqRbVkA==
[SSX_CONFIGURATION]
# This is a sample properties file for the case
# when authType is LDAP and the user database is OpenLDAP
# Specifies the authentication type.
# Is Required: Yes
# Valid values: {"OS", "TEXT", "LDAP", "ADSI"}
# Default Value: None
authType=LDAP
# Specifies which server type will be used.
# Is Required: No
# Valid values: {"ActiveDirectory", "SunOneDirectory", "OpenLdap"}
# Default value: "OpenLdap"
serverType=OpenLDAP
# Property name that denotes a user entry.
# Is Required: No
# Valid values: (attribute name according to LDAP conventions)
# Default Value: None
userIdField=cn
# Enumeration of LDAP objectclasses that the user entries use in
# the target LDAP server.
# Is Required: No
# Valid values: (Comma separated list of objectclass names,
# according to LDAP conventions)
# Default value - depending on serverType:
# OpenLdap:
# "top,person"
# SunOneDirectory:
# "top,person,organizationalperson, inetorgperson"
# ActiveDirectory:
# "top,person,organizationalPerson,user"
personObjClass=inetOrgPerson
# Enumeration of LDAP objectclasses that the group entries use in
# the target LDAP server.
# Is Required: No
# Valid values: (Comma separated list of objectclass names,
# according to LDAP conventions)
# Default value - depending on serverType:
# OpenLdap:
# "top,groupOfUniqueNames"
# SunOneDirectory:
# "top,groupofuniquenames"
# ActiveDirectory:
# "top,group"
groupObjClass=groupOfUniqueNames
# Property name that denotes a group entry.
# Is Required: No
# Valid values: (attribute name according to LDAP conventions)
# Default value: cn
groupIdField=cn
# Property name of a user entry that points to the group that
# the user is member of.
# Is Required: No
# Valid values: (attribute name according to LDAP conventions)
# Default value:
# depending on serverType:
# OpenLdap:
# "ou"
# SunOneDirectory:
# NULL
# ActiveDirectory:
# "memberOf"
personGrpAttr=ou
# Property name of a group entry that points to users (members)
# Is Required: No
# Valid values: (attribute name according to LDAP conventions)
# Default value:
# depending on serverType:
# OpenLdap:
# "uniqueMember"
# SunOneDirectory:
# "uniqueMember"
# ActiveDirectory:
# "member"
groupPrsAttr=uniqueMember
# Seconds how long auth. user remains in cache.
# Is Required: No
# Valid values:
# 0 - No cache
# Min: 1, Max: No limit
# Default value: 180
cacheTime=12
# Specify the max. number of cached users that have been successfully
# authenticated. When the cache overflows, the oldest entry is removed.
# Is Required: No
# Valid values:
# 0 - No cache
# Min: 1, Max: No limit
# Default value: 300
cacheSize=4
# Time (in seconds) how long to ignore any further authentication
# requests for a particular User-Id.
# Is Required: No
# Valid values:
# Min: 1, Max: No limit
# Default value: 100
denyTime=4
# Number of invalid logon attempts.
# Is Required: No
# Valid values:
# Min: 1, Max: No limit
# Default value: 3
denyCount=3
# Specifies an output file for logging.
# Is Required: No
# Valid values: (Valid log file path)
# Default Value: None
logCallback=true
# Specifies the log level.
# Is Required: No
# Valid values:
# 0 - No logging
# Min: 1
# Max: 6
# Default Value: None
##nativeLogLevel=0
# Specifies the log file.
# Is Required: No
# Valid values:
# fully qualified file name
# No default value
##nativeLogFile=SAGSSXCLIENTA_SSX.LOG
# Default group to be automatically included for all requests
# that return any groups
# Is Required: No
##defaultGroup=DefGroup
# BaseBindDN where to find the users.
# Is Required: Yes
# and should contain the most detailed DN to find the users
# personBindDn=ou=User,o=Org,dc=mycom,dc=com
# BaseBindDN where to find the groups.
# Is Required: Yes
# and should contain the most detailed DN to find the groups
##groupBindDn=ou=Groups,o=Org,dc=mycom,dc=com
# Attribute name of the password.
# Required when changeing the password
# Is Required: Not always
# Default value:
# depending on serverType:
# OpenLdap:
# "userPassword"
# SunOneDirectory:
# "userPassword"
# ActiveDirectory:
# "unicodePwd"
##passwdField=userPassword
# Allow to pass a complete BaseBindDN
# via the domain parameter.
# Is Required: No
# Valid values: 0, 1
##allowdomainasbasebinddn=0
# Allow to specify which fields to search for as properties
# of a user entry
# Is Required: No
# Valid values: string, for example: "cn,sn,description"
##personPropAttr
# Allow to specify which fields to search for as properties
# of a group entry
# Is Required: No
# Valid values: string, for example: "cn,description"
##groupPropAttr
# Allow to use the special secure authentication using SASL,
# providing the directory supports this mechanism.
# Is Required: No
# Valid values: 0, 1 (default: 0)
##ldapSaslBind
# Allow to switch from a non-secure connection to a TLS connection,
# providing the directory supports this mechanism.
# of a group entry
# Is Required: No
# Valid values: 0, 1 (default: 0)
##ldapStartTls
# By default, the first "dc=" occurrence within the distinguished name
# name string denotes the domain name.
# If additional abbreviations want to be defined, one can use
# the following 2 parameter.
# Example: Short="RnD;Admins;board"
# with Long="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com"
##ldapDomainShort
##ldapDomainLong
# If NOT the automatic domain name should be used to compose
# the canonical user id (SSXGetCanonicalUserId_A/W),
# specify this part of the ID here.
##canonicalDomainName
# Three algorithms are supported to find the groups of a user:
# "ru", recurse up: take the group pointer from the user entry
# and continue to search up for all groups
# found
# "rd", recurse down: search for all groups that have the
# user as member (no recursion)
# "cp", computed property: use a special field in the user
# entry to find all groups
# --> computedGroupProp retired
# Default: "ru"
##resolveGroups
# If resolveGroup is set to "cp", this parameter must provide
# the field name to look for in the user entry that denotes
# the user groups
# Default: None
##computedGroupProp=
# If the LDAP connection is protected by SSL/TLS, this
# parameter must be set.
# Valid Values: 0, 1
# Default: 0
##ldapSSLConnection=1
[SSX_CONFIGURATION-END]
[SSX_CONFIGURATION]
# This is a sample properties file for the case
# when authType is ADSI and the user database is Active Directory
# Specifies the authentication type.
# Is Required: Yes
# Valid values: {"OS", "TEXT", "LDAP", "ADSI"}
# Default Value: None
authType=ADSI
# Specifies the name of the AD Forest.
# Is Required: No, but should be specified
# Example: "dc=mycom,dc=com"
# (with a possible domain called "dc=eur,dc=mycom,dc=com")
# Default Value: None
##adsiForestDn
# Seconds how long auth. user remains in cache.
# Is Required: No
# Valid values:
# 0 - No cache
# Min: 1, Max: No limit
# Default value: 180
cacheTime=12
# Specify the max. number of cached users that have been successfully
# authenticated. When the cache overflows, the oldest entry is removed.
# Is Required: No
# Valid values:
# 0 - No cache
# Min: 1, Max: No limit
# Default value: 300
cacheSize=4
# Time (in seconds) how long to ignore any further authentication
# requests for a particular User-Id.
# Is Required: No
# Valid values:
# Min: 1, Max: No limit
# Default value: 100
denyTime=4
# Number of invalid logon attempts.
# Is Required: No
# Valid values:
# Min: 1, Max: No limit
# Default value: 3
denyCount=3
# Specifies an output file for logging.
# Is Required: No
# Valid values: (Valid log file path)
# Default Value: None
# nativeLogFile=SIN_SSX.log
logCallback=true
# Specifies the log level.
# Is Required: No
# Valid values:
# 0 - No logging
# Min: 1
# Max: 6
# Default Value: None
##nativeLogLevel=0
# Specifies the log file.
# Is Required: No
# Valid values:
# fully qualified file name
# No default value
##nativeLogFile=SAGSSXCLIENTA_SSX.LOG
# In case the scope for the node to access users needs to be limited,
# one can specify a particular subtree:
# Example: "ou=user,ou=Rnd,dc=mycom,dc=com"
##adsiPersonBindDn
# In case the scope for the node to access groups needs to be limited,
# one can specify a particular subtree:
# Example: "ou=groups,ou=Rnd,dc=mycom,dc=com"
##adsiGroupBindDn
# By default, the first "dc=" occurrence within the distinguished name
# name string denotes the domain name.
# If additional abbreviations want to be defined, one can use
# the following 2 parameter.
# Example: Short="RnD;Admins;board"
# with Dn="ou=Rnd,ou=user,dc=mycom,dc=com;ou=Administrators,dc=mycom,dc=com;ou=VIP,dc=mycom,dc-com"
##adsiDomainShort
##adsiDomainDn
# If NOT the automatic domain name should be used to compose
# the canonical user id (SSXGetCanonicalUserId_A/W),
# specify this part of the ID here.
##canonicalDomainName
# Three algorithms are supported to find the groups of a user:
# "ru", recurse up: take the group pointer from the user entry
# and continue to search up for all groups
# found
# "rd", recurse down: search for all groups that have the
# user as member (no recursion)
# "cp", computed property: use a special field in the user
# entry to find all groups
# --> computedGroupProp retired
# Default: "ru"
##resolveGroups
# If resolveGroup is set to "cp", this parameter must provide
# the field name to look for in the user entry that denotes
# the user groups
# Default: None
##computedGroupProp=
[SSX_CONFIGURATION-END]