Integration Server 10.3 | Integration Server Administrator's Guide | Configuring a Central User Directory or LDAP | Overview of How Integration Server Works with Externally Defined Users and Groups | How Integration Server Authenticates Externally Defined Clients
 
How Integration Server Authenticates Externally Defined Clients
When Integration Server authenticates a client using user names and passwords, Integration Server first attempts to find the user name and password internally. If Integration Server finds an internally-defined user account for the supplied user name, Integration Server authenticates the client using the internally-defined information. If the supplied password is correct, Integration Server proceeds with the request. If the supplied password is not correct, Integration Server rejects the request.
If Integration Server cannot find an internally-defined user account for the supplied user name, Integration Server accesses the external directory (either a central user directory or LDAP) to obtain user name and password information for the client. If Integration Server finds an externally defined user account, Integration Server authenticates the client using the externally defined information. For example, if a user account is defined in the My webMethods Server user directory, Integration Server authenticates the client using the information defined in the My webMethods Server database. If the supplied password is correct, the server proceeds with the request. If the supplied password is not correct, the server rejects the request.
Note:
If the passwords are contained in an external authentication system other than Central Users or LDAP, for example Kerberos, you must create your own pluggable module to obtain this information. See Customizing Authentication Using JAAS for information about setting up a pluggable module.
If the server cannot find either an internally or externally defined user account for the user, the server rejects the request.
If the user does not supply a user name or password, the server uses the internally-defined Default user account.
Note:
A user can be defined locally for a specific instance of Integration Server and in an external directory service available to the Integration Server instance. When a user who is defined in both places logs into the Integration Server Administrator, Integration Server authenticates the user with the privileges defined locally. If the user was defined with different privileges in the external directory service, those privileges are ignored. This occurs because Integration Server checks its local user list first. If the suppled user name exists and the password is correct, Integration Server does not check the external directory for the user account.If a user is defined locally and in an external directory service, make sure that the user has the same privileges locally and externally.