Broker 10.5 | webMethods Broker Documentation | Administering webMethods Broker | Managing Broker Security | Securing Broker Server Using Basic Authentication | Basic Authentication Configuration File | Basic Authentication Configuration Parameters
 
Basic Authentication Configuration Parameters
The following table provides details of the parameters you configure in the basic authentication configuration file.
For this parameter...
Specify this value...
Applicable to...
adsi-domain-dn
This value (together with adsi-domain-short) allows to create a mapping of short names (specified in the domain parameter) to long (distinguished name) entries.
Note:
The elements are positional and must match in number with the next entry
Example:
dc=euro,dc=myorg,dc=com;dc=usa,dc=myo
rg,dc=com;ou=developers,dc=euro,dc=my
org,dc=com
Default: None.
ADSI
adsi-domain-short
A semi-colon separated list of domain names, or specific nodes, or both.
This value (together with adsi-domain-dn) allows to create a mapping of short names to long (distinguished name) entries.
Note:
The elements are positional and must match in number with the adsi-domain-dn entry.
Example: euro;usa;euro-developers
Default: None.
ADSI
adsi-forest-dn
The name of the ADSI forest here. This value is used numerous times when accessing the ActiveDirectory.
Example: dc=myorg,dc=com
ADSI
adsi-group-base-binddn
The BindDN that is used to access a group.
Note:
This parameter is only useful when all groups that are accessed are found in the same node. Otherwise, specifying this value is optional.
Default: None.
ADSI
adsi-person-base-binddn
The BindDN that is used to access a user.
Note:
This parameter is only useful when all users that are accessed are found in the same node. Otherwise, specifying this value is optional.
Default: None.
ADSI
alias
An alias marks the beginning of a set of directory type configuration parameters. In general, an authtype entry is specified below an alias entry followed by the directory-type specific configuration parameters.
All configurations
alias-max-disable-time
The maximum time you want to disable an unresponsive alias.
Default: 120 seconds.
All configurations
alias-min-disable-time
The minimum time you want to disable an unresponsive alias.
Default: 30 seconds.
All configurations
authtype
The authentication system you want to use for authentication:
*OS (native operating system)
*LDAP (LDAP server)
*ADSI (Active Directory Server Interface, Windows only)
Default: None.
All configurations
defaultdomain
A domain name that Broker must use when no domain name is specified while authenticating a user.
Default: None.
All configurations
defaultgroup
A default group name that Broker must use when no group name is specified while authenticating a user.
Default: None.
OS, LDAP
ldap-allow-domain-as-base-binddn
Boolean value.
If this value is "true" or "1", the parameter "domainname" will be interpreted as a BaseBindDN. If defaultdomain is set, this value will be interpreted as BaseBindDN.
Default: None.
LDAP
ldap-allow-domain-as-base-bind-dn
Boolean value.
If the value is "true" or "1", the parameter "domainname" will be interpreted as a BaseBindDN.
Example: ou=People,dc=myorg,dc=com
Note:
If you do not specify the domain name explicitly while the defaultdomain parameter is already set, this value is interpreted as the BaseBind domain name.
Default: None.
LDAP
ldap-domain-long
Distinguished names of LDAP nodes.
This value (together with ldap-domain-short) allows to create a mapping of short names (specified in the domain parameter) to long (distinguished name) entries. Note that the elements are positional and must match in number with the next entry.
Example:
dc=euro,dc=myorg,dc=com;dc=usa,dc=myo
rg,dc=com;ou=developers,dc=euro,dc=my
org,dc=com
Default: None.
LDAP
ldap-domain-short
colon separated list.
mapping of short names to long (distinguished name) entries.
Note:
The elements are positional and must match in number with the next entry.
Example: euro;usa;euro-developers
Default: None.
LDAP
ldap-group-base-binddn
Distinguished Name for LDAP where the groups are to be found (see also ldap-person-base-binddn).
Default: None.
LDAP
ldap-groupid-field
Property name that denotes a group entry.
Default: None.
LDAP
ldap-group-objectclass
All object classes that are required to store a new group entry (comma separated list).
Default: None.
LDAP
ldap-group-property-attr
Property names that can be accessed for a group entry.
The value is a comma separated list, which contains the property name. Optionally, the property name might be followed by ":w" or ":r", depending on whether the property is writable (w) or only readable (r).
Default: None.
LDAP
ldap-group-prs-attr
Property name of a group entry that points to the members of this group.
Default: None.
LDAP
ldap-passwd-field
Property name that denotes the password field of a user entry.
Default: None.
LDAP
ldap-person-base-binddn
Distinguished Name for LDAP where the authentication information is stored. While authenticating, this value will be prefixed with ldap-userid-field when issuing the LDAP authentication call.
Default: None.
LDAP
ldap-person-grp-attr
Property name of a user entry that points to the group that the user is member of.
Default: None.
LDAP
ldap-person-objectclass
All object classes that are required to store a new user entry (comma separated list).
Default: None.
LDAP
ldap-person-property-attr
Property names that can be accessed for a user entry.
The value is a comma separated list, which contains the property name. Optionally, the property name might be followed by ":w" or ":r", depending on whether the property is writable (w) or only readable (r).
Default: None.
LDAP
ldap-sasl-auth
Boolean value that forces the usage of the SASL (type DIGEST-MD5) authentication. This feature ensures that no passwords are transmitted over the wire. But be sure that this feature is supported by the LDAP server.
Default: false
LDAP
ldap-server-type
LDAP server type. Specifying this value will internally set the appropriate default values.
The available server types are:
*ActiveDirectory
*SunOneDirectory
*OpenLdap
Default: OpenLdap
LDAP
ldap-ssl-connection
Boolean value for enabling or disabling the SSL connection for LDAP.
Default: false OR 0(zero)
LDAP
ldap-start-tls
Boolean value that enforces the usage of a secure (TLS/SSL) line before the data traffic starts.
Default: None.
LDAP
ldap-userid-field
Property name that denotes a user entry.
Example:
The DN: uid=user01,ou=Test,dc=myorg,dc=com requires the value of "uid".
Default: None.
LDAP
logfile
An output file for logging.
Default: basicauth.log
All configurations
loglevel
The log level. This value ranges from 0 (zero) for no logging to 6 (six) for maximum logging.
Default: 1 (Minimum logging)
All configurations
os-win-auth-no-domain-force-local
Boolean value.
When no domain is specified and this flag is on, then only the local machine will be checked for user authentication. If this flag is off, then the authentication will include automatically the domain that the machine is currently logged on to.
Default: false OR 0(zero)
OS (Windows only)
os-win-auth-user-exist
When you authenticate a user on Windows 2000 operating system, you use the Security Support Provider Interface (SSPI) method by default. This method has a flaw that if the Guest account is enabled (and has no password), the SSPI authentication returns successfully for any unknown user ID.
Setting this value to "true" or "1" enforces an additional check to verify that the user really does exist and is not automatically mapped to the guest account.
Default: true
OS (Windows 2000 only)
os-win-check-local-groups
Boolean value.
If this boolean flag is on (“true” or "1"), group membership is also validated against the local (PC) groups, rather than the domain groups.
Default: false OR 0(zero)
OS (Windows only)
os-win-logonuser-on-2000
Boolean value.
By default, SSPI is used to authenticate a user on Windows 2000 because the more common method "LogonUser()" requires additional rights by the caller. Still, LogonUser() is the preferred way and if the access rights are granted ("Act as part of the operating system"), it is less error prone to use the latter method.
Default: false
OS (Windows 2000 only)
os-win-no-impersonation
Boolean value that specifies whether any data access should be made under the impersonated user ID of the logged on user (false), or whether every access is made under the account of the running process (true).
Default: false
OS (Windows only)
resgroup-computed-property
Name of the computed property that will be read while resolving the group membership and the parameter resolve-groups is set to "ComputedProperty".
Default: None.
LDAP
resolve-groups
The method you use to find all the groups that the user is a member of:
*RecurseUp (or RU). Use an attribute of the user to find the direct groups the user is a member of. Then continue up, using the same attribute until all groups are found.
*RecurseDown (or RD). Perform one search for all groups that contain this user as a member. This search only finds the direct groups for a user.
*ComputedProperty (or CP). Use a specific field that is a computed property and not a static field (evaluated at runtime by the LDAP server), to retrieve all group information in one call.
Default: RecurseUp
LDAP
scan-all-alias
Boolean value.
If scan-all-alias=1, Broker Server scans all the aliases configured in the basicauth.cfg file before authenticating a user. In this case, the basic authentication process take a long time.
If scan-all-alias=0, Broker Server scans the aliases configured in the basicauth.cfg file and authenticates user with the first alias that match the user credentials. Broker Server does not scan all the aliases if the user credentials match with one of the aliases.
Default: 0 (false).
All configurations
serverhost
Name of the server.
Default: None.
LDAP, ADSI
serverport
Port number of serverhost.
Default: 389
LDAP, ADSI
ssx-ldap-search-timeout
The maximum time, in seconds, SSX API will wait for the LDAP alias search status to be returned, before timing out the authentication request from Broker.
Alternately, you can use the SSX_LDAP_TIMEOUT environment variable to configure the time-out value.
Note:
When a value is specified for both ssx-ldap-search-timeout property and SSX_LDAP_TIMEOUT environment variable, the value of ssx-ldap-search-timeout takes the precedence.
Default: 5 seconds
For configuring the alias disable time, see Disabling Basic Authentication Alias.
LDAP