Creating and Maintaining Authentication Configurations
Pre-requisites:
To configure the user authentication settings through the CentraSite Command Line Interface, you must have the CentraSite Administrator role.
The authentication in the CentraSite Registry or Repository is configured with default settings during installation. You can define additional authentication configurations, and you can change the default configuration to be one of the additional configurations.
The default authentication configuration determines the user repository that is used to authenticate users who log on to CentraSite. Initially, the default user repository is CentraSite's own user repository, which has the domain name INTERNAL. You might want to define additional configurations that define for example an LDAP user repository.
CentraSite provides a set of command tools for this purpose.
You can use these tools to perform the following tasks:
Create an authentication configuration
Modify an authentication configuration
Delete an authentication configuration
Keep the following points in mind:
If you do not require a particular authentication configuration any more, you can delete it from the list of available configurations.
You cannot remove the pre-installed domain
INTERNAL.
If you remove a configuration that is the current default configuration, the configuration is removed and the default reverts to the INTERNAL configuration.
To delete an existing authentication configuration, use the command named
remove Authentication.
Note: When you delete an authentication configuration, CentraSite does not delete the user objects that are associated with this configuration. Thus, these users are displayed in the list of users in CentraSite Control, even though the domain to which they belong is no longer accessible to CentraSite.
Set a default authentication configuration
Keep the following points in mind:
If you have defined more than one authentication configuration, you can change the current default configuration to one of the other configurations.
The user domain of the new default configuration must include at least one user who is defined in
CentraSite with the
CentraSite Administrator role, otherwise you are prompted to enter a user who is defined as administrator in that configuration.
To set a new default authentication configuration, use the command named
set DefaultDomain.
If the user domain of the configuration that you wish to set to the default does not contain any user who is defined in
CentraSite with the
CentraSite Administrator role, a dialog appears, asking you to provide the user name and password of a domain user who has granted this role in
CentraSite.
If the user already exists in
CentraSite, but does not have the
CentraSite Administrator role, the role is granted to the user. If the user does not exist in
CentraSite, a user with the given user name is created in
CentraSite and is granted the
CentraSite Administrator role.
The dialog also allows you to specify an organization for the user, in cases where the user did not already exist in
CentraSite. The newly created
CentraSite user is assigned to this organization. If you do not specify an organization, the user is assigned to the default organization.
Users who are in the default domain can log in without having to specify the domain name, but they can specify the domain name if they wish. Users who are not in the current default domain always have to specify the domain name when logging in.
1. If your default authentication configuration contains only one user who has the CentraSite Administrator role in CentraSite, it is not possible to delete this user from CentraSite, or to remove the CentraSite Administrator role from the user. This is because the default configuration must always contain at least one user who is defined in CentraSite with the CentraSite Administrator role.
2. If you try to log in to a CentraSite component (for example, CentraSite Control) by supplying a user name and password but no domain name, the authentication mechanism assumes that you belong to the domain of the default configuration and authenticates you against this domain. If you change the default configuration as described above and subsequently try to log in to a CentraSite component, you must supply your domain name in addition to your user name, so that the authentication mechanism knows which domain to use to check your credentials.
When you set a new default authentication configuration, you might want to change the association between
CentraSite users (that is,
CentraSite registry objects representing users) and users in the external user repository.
List the names of all defined authentication configurations
List details of a specific authentication configurations
Validate that an authentication configuration is correctly specified
Listing Names of Existing Authentication Configurations: Run the command list Authentication. The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd list Authentication
Note: The list also indicates the default configuration.
The response to this command could be:
Executing the command : list Authentication
Successfully executed the command : list Authentication
Obtaining Details of an Authentication Configuration: To fetch the details of an existing authentication configuration, run the command get Authentication. The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd get Authentication -domain <DOMAIN>
The input parameters are:
Parameter | Description |
DOMAIN | The domain name of the user repository associated with the configuration. |
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd get Authentication -domain LDAPDomain
The response to this command could be:
Executing the command : get Authentication
Domain Name Domain Type
--------------------------------------
LDAPDomain LDAP
Properties:
useaf: "false"
userrootdn: "ou=people,ou=gdm,o=sag"
personobjclass: "inetOrgPerson"
uidprop: "cn"
url: "ldap://daeqarh01:10389"
noPrinIsAnonymous: "false"
groupobjclass: "groupOfUniqueNames"
usecaching: "false"
applyDomain: "true"
gidprop: "cn"
createGroupProperties: "true"
alias: "LDAPDomain"
memberinfoingroups: "true"
creategroups: "true"
createUserProperties: "true"
mattr: "uniqueMember"
grouprootdn: "ou=groups,ou=gdm,o=sag"
User Mappings:
displayName: "personName:fullName"
mail: "emailAddresses:emailAddress:address"
sn: "personName:lastName"
Group Mappings:
description: "description"
Successfully executed the command : get Authentication
Setting a Default Authentication Configuration: To set the default authentication configuration in CentraSite, run the command set DefaultDomain. The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set DefaultDomain -domain <DOMAIN>
The input parameters are:
Parameter | Description |
DOMAIN | The domain name of the user repository associated with the configuration. |
Important: An authentication configuration containing the specified domain must already exist in CentraSite.
Note: If you have set up multiple CentraSite instances in cluster mode, ensure that you execute the set DefaultDomain command individually in each of these CentraSite instances in the cluster.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set DefaultDomain -domain LDAPdomain
The response to this command could be:
Executing the command : set DefaultDomain
Successfully executed the command : set DefaultDomain
Adding an Authentication Configuration: To add a new authentication configuration to CentraSite, run the command set Authentication. The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain <DOMAIN>
The input parameters are:
Parameter | Description |
DOMAIN | The domain name of the user repository associated with the configuration. |
When adding a LDAP configuration, the values you entered for the command parameters are evaluated against the specified LDAP server. Make sure that the corresponding LDAP server is available and running.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain LDAPdomain
The response to this command could be:
Executing the command : set Authentication
Successfully executed the command : set Authentication
Modifying an Authentication Configuration: To modify an existing authentication configuration, run the command set Authentication. The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain <DOMAIN>
The input parameters are:
Parameter | Description |
DOMAIN | The domain name of the user repository associated with the configuration. |
When modifying a LDAP configuration, the values you entered for the command parameters are evaluated against the specified LDAP server. Ensure that the corresponding LDAP server is available and running.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd set Authentication -domain LDAPdomain
The response to this command could be:
Executing the command : set Authentication
Successfully executed the command : set Authentication
Removing an Authentication Configuration: To remove an existing authentication configuration, run the command remove Authentication. The syntax is of the format: C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd remove Authentication -domain <DOMAIN>
The input parameters are:
Parameter | Description |
DOMAIN | The domain name of the user repository associated with the configuration. |
Note: Keep the following points in mind:
You cannot remove the pre-installed domain
INTERNAL.
You also cannot remove a configuration that is the current default configuration. If you want to delete such a configuration, you must first change the default configuration to another configuration.
Example (all in one line):
C:\SoftwareAG\CentraSite\utilities>CentraSiteCommand.cmd remove Authentication -domain LDAPdomain
The response to this command could be:
Executing the command : remove Authentication
Successfully executed the command : remove Authentication