Setting external authentication options

After you install an AREA plug-in, you can set up the  AR System server  to use external authentication. Users can be authenticated externally in the following ways:

• To the operating system (UNIX only)—The  AR System server  authenticates to the operating system. The authentication string has no effect when authenticating to a UNIX operating system.
• To the server domain (Windows)—The  AR System server  authenticates to the Windows server domain. If a value is entered in the Authentication String field, that value is used as the domain name to which the  AR System server  authenticates.
• To the AREA service—If you have configured external authentication to an AREA service, the user name, password, and authentication values entered are provided to the AREA service.

Two of these authentication methods use the authentication string described in Login and session information. See also Setting up an authentication alias.

Before you begin

Configure your server to use plug-ins (see Configuring a server to use plug-ins), and start the plug-in server (see AR System server components and AR System external utilities). 

To set AR System  Administration: external authentication parameters 

1. In a browser, open the AR System  Administration Console, and select System > General > Server Information.
   The AR System Administration: Server Information form appears.
2. Click the EA tab.
   

3. Edit the options, as needed:

   Field	Description
   External Authentication Server RPC Program Number	Enables an external authentication (AREA) server. The RPC program number for the plug-in service is 390695. Entering no value or 0 disables authentication with an AREA service, and the AR System server accesses the operating system for authentication purposes. You must have an AREA server built and prepared before you set the RPC Socket number here. For information about configuring an AREA LDAP plug-in, see Using the AREA LDAP plug-in.
   External Authentication Server Timeout (seconds) > RPC	Sets the time limit (in seconds) within which the plug-in server must respond to the AR System server when making external authentication (AREA) calls before an error is returned. If RPC is set to 0, the AR System server uses the default of 40 seconds.
   External Authentication Server Timeout (seconds) > Need To Sync	Sets the interval for periodically invoking the AREA server's AREANeedToSyncCallback() call. If Need to Sync is set to 0, the AR System server does not invoke the call to the external authentication server. The default is 3600 seconds. For more information about the external authentication server, see Configuring a server to use plug-ins and AR System external authentication.
   Authenticate Unregistered Users	Defines how AR System validates a user who has no record in the User form. When a user logs in to AR System , the server tries to validate the user against registered users (users who are listed in the User form). If a match is found, that user definition and the permissions specified in the matching User record are used. If no match is found, AR System continues trying to validate the user or stops the validation process depending on whether this option is selected. If the check box is: Selected, and External Authentication is not configured—(Default on UNIX servers) On a UNIX server, AR System searches the /etc/passwd file or NIS password map for a match. If a match is found, the user is considered a valid user (not a guest) of the system. The UNIX group specification from the file or NIS is retrieved, and the user is considered a member of the AR System group whose Group ID matches the UNIX group. On a Windows server, AR System authenticates to the default domain. The optional authentication string that the user enters when logging in is used as the Windows domain name for authentication purposes. On Windows servers, the user is considered a member of the group whose Group ID is 0. Selected, and External Authentication is configured— AR System sends a request to the external authentication server to authenticate the user. If a match is found, the user is considered a valid user (not a guest user) of the system. See Configuring a server to use plug-ins. The authentication string that the user enters when logging in is passed to the external authenticator for its use. Cleared—(Default on Windows servers) AR System stops the validation process and manages the user as a guest user if Allow Guest Users is enabled. See ar.cfg or ar.conf options A-B. For information about configuring external authentication, see Setting ports and RPC numbers.
   Cross Reference Blank Password	Defines how AR System authenticates a user whose User form record has no password. When a user logs in, AR System searches its own database for that user. If the user has a password, the system uses it. If the Password field is empty, AR System proceeds according to whether Cross Reference Blank Password is selected or cleared: Selected— AR System tries to validate the password against one of the following items: An external authenticator if one is configured The password in the Windows server domain The UNIX server's /etc/passwd file Cleared—(Default) AR System concludes that an empty password field means that the user has no password. In the Login window, users see an Authentication field. If the AR System server is running on Windows, the contents of this field are used as a domain name when the server authenticates the user with the operating system. If the server is instead configured to use an external authenticator, the contents of this field are passed to the authenticator. See Setting up an authentication alias. If you select Cross-Reference Blank Password, make sure that it does not conflict with the User Password Management feature. If you enforce a password policy, AR System periodically forces users to set a password that cannot be blank. If a user's password is authenticated outside of AR System and that user sets a non-blank password, AR System performs the authentication. This is not an issue if enforcement of a password policy is not enforced. If a policy is enforced, you must disable the policy for users whose passwords should be blank. For more information, see Enforcing a password policy introduction.
   Authentication Chaining Mode	Specifies the order in which AR System tries to authenticate users when they log in: Default—Disables authentication chaining. ARS - AREA— AR System tries to authenticate the user by using the User form and then the AREA plug-in. AREA - ARS— AR System tries to authenticate the user by using the AREA plug-in and then the User form. ARS - OS - AREA— AR System tries to authenticate the user by using the User form, then Windows or UNIX authentication, and then the AREA plug-in. ARS - AREA - OS— AR System tries to authenticate the user by using the User form, then the AREA plug-in, and then Windows or UNIX authentication.
   Group Mapping	Specifies mappings between LDAP groups and AR System groups. This eliminates the need for one-to-one matches between LDAP and AR System groups. If you do not map groups, each LDAP group must have an exact AR System group match. Tip For maximum benefit, use Ignore Excess Groups and Group Mapping together.
   Ignore Excess Groups	Enables AR System to authenticate a user when any LDAP group to which the user belongs matches a AR System group. Non-matching groups are ignored. If Ignore Excess Groups is cleared, authentication occurs only when each LDAP group matches a AR System group.