CentraSite 10.11 | CentraSite Administrator’s Guide | Configuring CentraSite | Configuring User Authentication and Repositories | User Authentication Configurations | Creating and Maintaining Authentication Configurations
 
Creating and Maintaining Authentication Configurations
Pre-requisites:
To configure the user authentication settings through the CentraSite Command Line Interface, you must have the CentraSite Administrator role.
The authentication in the CentraSite Registry or Repository is configured with default settings during installation. You can define additional authentication configurations, and you can change the default configuration to be one of the additional configurations.
The default authentication configuration determines the user repository that is used to authenticate users who log on to CentraSite. Initially, the default user repository is CentraSite's own user repository, which has the domain name INTERNAL. You might want to define additional configurations that define for example an LDAP user repository.
CentraSite provides a set of command tools for this purpose.
You can use these tools to perform the following tasks:
*Create an authentication configuration
*Modify an authentication configuration
*Delete an authentication configuration
Keep the following points in mind:
*If you do not require a particular authentication configuration any more, you can delete it from the list of available configurations.
*You cannot remove the pre-installed domain INTERNAL.
*If you remove a configuration that is the current default configuration, the configuration is removed and the default reverts to the INTERNAL configuration.
*To delete an existing authentication configuration, use the command named remove Authentication.
Note:
When you delete an authentication configuration, CentraSite does not delete the user objects that are associated with this configuration. Thus, these users are displayed in the list of users in CentraSite Business UI, even though the domain to which they belong is no longer accessible to CentraSite.
*Set a default authentication configuration
Keep the following points in mind:
*If you have defined more than one authentication configuration, you can change the current default configuration to one of the other configurations.
*The user domain of the new default configuration must include at least one user who is defined in CentraSite with the CentraSite Administrator role, otherwise you are prompted to enter a user who is defined as administrator in that configuration.
*To set a new default authentication configuration, use the command named set DefaultDomain.
*If the user domain of the configuration that you wish to set to the default does not contain any user who is defined in CentraSite with the CentraSite Administrator role, a dialog appears, asking you to provide the user name and password of a domain user who has granted this role in CentraSite.
*If the user already exists in CentraSite, but does not have the CentraSite Administrator role, the role is granted to the user. If the user does not exist in CentraSite, a user with the given user name is created in CentraSite and is granted the CentraSite Administrator role.
*The dialog also allows you to specify an organization for the user, in cases where the user did not already exist in CentraSite. The newly created CentraSite user is assigned to this organization. If you do not specify an organization, the user is assigned to the default organization.
*Users who are in the default domain can log in without having to specify the domain name, but they can specify the domain name if they wish. Users who are not in the current default domain always have to specify the domain name when logging in.
*If your default authentication configuration contains only one user who has the CentraSite Administrator role in CentraSite, it is not possible to delete this user from CentraSite, or to remove the CentraSite Administrator role from the user. This is because the default configuration must always contain at least one user who is defined in CentraSite with the CentraSite Administrator role.
*If you try to log in to a CentraSite component by supplying a user name and password but no domain name, the authentication mechanism assumes that you belong to the domain of the default configuration and authenticates you against this domain. If you change the default configuration as described above and subsequently try to log in to a CentraSite component, you must supply your domain name in addition to your user name, so that the authentication mechanism knows which domain to use to check your credentials.
*When you set a new default authentication configuration, you might want to change the association between CentraSite users (that is, CentraSite registry objects representing users) and users in the external user repository.
*List the names of all defined authentication configurations
*List details of a specific authentication configurations
*Validate that an authentication configuration is correctly specified
* Listing Names of Existing Authentication Configurations: Run the command list Authentication.
The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd list Authentication
Note:
The list also indicates the default configuration.
The response to this command could be:
Executing the command : list Authentication

Successfully executed the command : list Authentication
* Obtaining Details of an Authentication Configuration: To fetch the details of an existing authentication configuration, run the command get Authentication.
The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd get Authentication -domain <DOMAIN>
The input parameters are:
Parameter
Description
DOMAIN
The domain name of the user repository associated with the configuration.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd get Authentication -domain LDAPDomain
The response to this command could be:
Executing the command : get Authentication

Domain Name Domain Type
--------------------------------------
LDAPDomain LDAP

Properties:
useaf: "false"
userrootdn: "ou=people,ou=gdm,o=sag"
personobjclass: "inetOrgPerson"
uidprop: "cn"
url: "ldap://daeqarh01:10389"
noPrinIsAnonymous: "false"
groupobjclass: "groupOfUniqueNames"
usecaching: "false"
applyDomain: "true"
gidprop: "cn"
createGroupProperties: "true"
alias: "LDAPDomain"
memberinfoingroups: "true"
creategroups: "true"
createUserProperties: "true"
mattr: "uniqueMember"
grouprootdn: "ou=groups,ou=gdm,o=sag"

User Mappings:
displayName: "personName:fullName"
mail: "emailAddresses:emailAddress:address"
sn: "personName:lastName"

Group Mappings:
description: "description"


Successfully executed the command : get Authentication
* Setting a Default Authentication Configuration: To set the default authentication configuration in CentraSite, run the command set DefaultDomain.
The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set DefaultDomain -domain <DOMAIN>
The input parameters are:
Parameter
Description
DOMAIN
The domain name of the user repository associated with the configuration.
Important:
An authentication configuration containing the specified domain must already exist in CentraSite.
Note:
If you have set up multiple CentraSite instances in cluster mode, ensure that you execute the set DefaultDomain command individually in each of these CentraSite instances in the cluster.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set DefaultDomain -domain LDAPdomain
The response to this command could be:
Executing the command : set DefaultDomain

Successfully executed the command : set DefaultDomain
*Adding an Authentication Configuration: To add a new authentication configuration to CentraSite, run the command set Authentication.
The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain <DOMAIN>
The input parameters are:
Parameter
Description
DOMAIN
The domain name of the user repository associated with the configuration.
When adding a LDAP configuration, the values you entered for the command parameters are evaluated against the specified LDAP server. Make sure that the corresponding LDAP server is available and running.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain LDAPdomain
The response to this command could be:
Executing the command : set Authentication
Successfully executed the command : set Authentication
*Modifying an Authentication Configuration: To modify an existing authentication configuration, run the command set Authentication.
The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain <DOMAIN>
The input parameters are:
Parameter
Description
DOMAIN
The domain name of the user repository associated with the configuration.
When modifying a LDAP configuration, the values you entered for the command parameters are evaluated against the specified LDAP server. Ensure that the corresponding LDAP server is available and running.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain LDAPdomain
The response to this command could be:
Executing the command : set Authentication
Successfully executed the command : set Authentication
*Removing an Authentication Configuration: To remove an existing authentication configuration, run the command remove Authentication.
The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd remove Authentication -domain <DOMAIN>
The input parameters are:
Parameter
Description
DOMAIN
The domain name of the user repository associated with the configuration.
Note:
Keep the following points in mind:
*You cannot remove the pre-installed domain INTERNAL.
*You also cannot remove a configuration that is the current default configuration. If you want to delete such a configuration, you must first change the default configuration to another configuration.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd remove Authentication -domain LDAPdomain
The response to this command could be:
Executing the command : remove Authentication
Successfully executed the command : remove Authentication