CentraSite 10.7 | CentraSite Administrator’s Guide | Configuring CentraSite | Configuring User Authentication and Repositories
 
Configuring User Authentication and Repositories
 
User Authentication Configurations
Configuring Internal Authentication Type
Configuring LDAP Authentication Type
Logging of Login Authentication Messages
Transforming and Migrating Internal and LDAP Configuration Data
User Authentication
Authentication is the process of validating a user's login credentials (for example, the user's certificate, or user ID and password) that match the credentials known to the system. CentraSite can use a number of different data sources, known as domains, to validate a user's credentials; these currently include the following:
*An internal text file
*Microsoft Active Directory (AD), when used through LDAP
*LDAP
This document is intended for customers who wish to configure CentraSite's user authentication features.
Assumptions
If an external repository, for example LDAP, is used, this topic assumes that it has already been set up and that you have the necessary expertise and privileges to perform administrative tasks. Usually, the use of CentraSite does not influence any design decisions that were made in setting up an external user repository; CentraSite just needs to know how to access the users and groups of the user repository.
User Repositories
A user repository is in general terms a set of user credentials (optionally including user certificates and so on), with the possible addition of information such as the groups to which a user belongs, the user's address, telephone number and the email address. Often, an enterprise implements a central user repository that can be used by applications throughout a network to authenticate users; when a user tries to log in to an application, the application issues a request to the user repository to check whether the user credentials supplied are valid. Usually the user repository is created and maintained separately from the applications that use it.
A newly-installed CentraSite system is configured to authenticate users against an internal text file. This is intended to enable an administrator to log in and modify the configuration as required to meet enterprise requirements; typically, and in particular if you are working in a distributed environment, where one or more Application Server Tiers and a separate Registry or Repository are involved, an external repository such as Active Directory or LDAP will form the core of the authentication process.
Selecting a User Repository for Authentication
Access to information stored in CentraSite generally requires a user name and password, to ensure that data can only be stored, modified or retrieved by authorized users. CentraSite supports the following types of user repository:
*An internal text file
*LDAP (for example Sun, OpenLDAP, ADS)
CentraSite maintains information about each kind of user repository in so-called authentication configurations. An authentication configuration specifies the type of user repository to be used and any parameters that are required to configure the user repository. CentraSite is delivered with one predefined authentication configuration, namely the configuration to use an internal text file and this configuration is the default configuration. You can define additional authentication configurations; also, you can set any one of the defined configurations to be the default configuration.
In general, user authentication information is stored in the user repository, not in CentraSite. CentraSite can contain a copy of selected data fields from the user repository for each registered CentraSite user. The user information in the CentraSite user registry is stored in objects of the type User. You can associate a CentraSite user object with a user in a user repository. In this case you can map data fields from the user repository into the user object in the CentraSite registry. The data in the mapped data fields is visible when you display the user object in CentraSite.
Domain Names of User Repositories
Each user repository is uniquely identified by a domain name. A user in a user repository is uniquely identified by the combination of domain name and user name.
When you log in to CentraSite Control, you must supply the name of a domain in which you are registered and your user name, in the format <DomainName>\<UserName> , for example, Headquarters\JSmith.
The domain name for an authentication configuration of type Internal is always INTERNAL. Since this name is fixed, there can be only one such configuration defined per instance of the CentraSite registry.
Default User Repository
While CentraSite is running, there is always exactly one default user repository. When you install CentraSite, the default user repository is set to the internal text file. You can change the default to any other user repository for which an authentication configuration exists.
Users who are registered in the default user repository can omit the domain name when they log in. For example, if the domain Headquarters is the default domain and it contains a user whose user name is JSmith, then this user can log in as JSmith instead of Headquarters\JSmith. Users who are not registered in the default user repository must always use the format <DomainName>\<UserName> to log in.
Notes on User Authentication in CentraSite
Case Sensitivity
User names and domain names are treated as either case sensitive or case insensitive, according to the configured authentication mechanism.
INTERNAL authentication
case sensitive
Active Directory authentication
case insensitive
LDAP authentication
case insensitive
Working in an Offline Environment
If you wish to work in an offline environment, for example on a laptop computer that is not connected to the network, you should be aware of certain restrictions that apply in the area of authentication.
Important:
When CentraSite is installed in an environment where the users are authenticated against a central service, for example an LDAP server, authentication does not work if the machine is disconnected from the network. So if you intend to use CentraSite on a mobile device when it is not connected to the network, ensure that at least one user is available who can also be authenticated offline, for example from an internal or local LDAP user repository.