Default language.

Setting external authentication options

After you install an AREA plug-in, you can set up the  to use external authentication. Users can be authenticated externally in the following ways:

  • To the operating system (UNIX only)—The  authenticates to the operating system. The authentication string has no effect when authenticating to a UNIX operating system.
  • To the server domain (Windows)—The  authenticates to the Windows server domain. If a value is entered in the Authentication String field, that value is used as the domain name to which the  authenticates.
  • To the AREA service—If you have configured external authentication to an AREA service, the user name, password, and authentication values entered are provided to the AREA service.

Related topics

ar-cfg-or-ar-conf

Two of these authentication methods use the authentication string described in Login-and-session-information. See also Setting-up-an-authentication-alias.

Before you begin

Configure your server to use plug-ins (see Configuring-a-server-to-use-plug-ins), and start the plug-in server (see AR-System-server-components and AR-System-external-utilities). 

To set  Administration: external authentication parameters

  1. In a browser, open the  Administration Console, and select System > General > Server Information.
     The AR System Administration: Server Information form appears.
  2. Click the EA tab.
    ServerInfo-EA.gif

  3. Edit the options, as needed:

    Field

    Description

    External Authentication Server RPC Program Number

    Enables an external authentication (AREA) server. The RPC program number for the plug-in service is 390695. Entering no value or 0 disables authentication with an AREA service, and the  accesses the operating system for authentication purposes.

    You must have an AREA server built and prepared before you set the RPC Socket number here.

    For information about configuring an AREA LDAP plug-in, see Using-the-AREA-LDAP-plug-in.

    External Authentication Server Timeout (seconds) > RPC

    Sets the time limit (in seconds) within which the plug-in server must respond to the  when making external authentication (AREA) calls before an error is returned. If RPC is set to 0, the  uses the default of 40 seconds.

    External Authentication Server Timeout (seconds) > Need To Sync

    Sets the interval for periodically invoking the AREA server's AREANeedToSyncCallback() call. If Need to Sync is set to 0, the  does not invoke the call to the external authentication server. The default is 3600 seconds. For more information about the external authentication server, see Configuring-a-server-to-use-plug-ins and AR-System-external-authentication.

    Authenticate Unregistered Users

    Defines how  validates a user who has no record in the User form. When a user logs in to , the server tries to validate the user against registered users (users who are listed in the User form). If a match is found, that user definition and the permissions specified in the matching User record are used. If no match is found,  continues trying to validate the user or stops the validation process depending on whether this option is selected. If the check box is:

    • Selected, and External Authentication is not configured—(Default on UNIX servers) On a UNIX server,  searches the /etc/passwd file or NIS password map for a match. If a match is found, the user is considered a valid user (not a guest) of the system. The UNIX group specification from the file or NIS is retrieved, and the user is considered a member of the  group whose Group ID matches the UNIX group. On a Windows server,  authenticates to the default domain. The optional authentication string that the user enters when logging in is used as the Windows domain name for authentication purposes. On Windows servers, the user is considered a member of the group whose Group ID is 0.
    • Selected, and External Authentication is configured— sends a request to the external authentication server to authenticate the user. If a match is found, the user is considered a valid user (not a guest user) of the system. See Configuring-a-server-to-use-plug-ins. The authentication string that the user enters when logging in is passed to the external authenticator for its use.
    • Cleared—(Default on Windows servers)  stops the validation process and manages the user as a guest user if Allow Guest Users is enabled. See ar-cfg-or-ar-conf-options-A-B.

    For information about configuring external authentication, see 2024-07-10_01-44-14_Setting ports and RPC numbers.

    Cross Reference Blank Password 

    Defines how  authenticates a user whose User form record has no password. When a user logs in,  searches its own database for that user. If the user has a password, the system uses it. If the Password field is empty,  proceeds according to whether Cross Reference Blank Password is selected or cleared:

    • Selected— tries to validate the password against one of the following items:
      • An external authenticator if one is configured
      • The password in the Windows server domain
      • The UNIX server's /etc/passwd file
    • Cleared—(Default)  concludes that an empty password field means that the user has no password.

    In the Login window, users see an Authentication field. If the  is running on Windows, the contents of this field are used as a domain name when the server authenticates the user with the operating system. If the server is instead configured to use an external authenticator, the contents of this field are passed to the authenticator. See Setting-up-an-authentication-alias. If you select Cross-Reference Blank Password, make sure that it does not conflict with the User Password Management feature. If you enforce a password policy,  periodically forces users to set a password that cannot be blank. If a user's password is authenticated outside of  and that user sets a non-blank password,  performs the authentication. This is not an issue if enforcement of a password policy is not enforced. If a policy is enforced, you must disable the policy for users whose passwords should be blank. For more information, see Enforcing-a-password-policy-introduction.

    Authentication Chaining Mode

    Specifies the order in which  tries to authenticate users when they log in:

    Default—Disables authentication chaining.

    ARS - AREA— tries to authenticate the user by using the User form and then the AREA plug-in.

    AREA - ARS— tries to authenticate the user by using the AREA plug-in and then the User form.

    ARS - OS - AREA— tries to authenticate the user by using the User form, then Windows or UNIX authentication, and then the AREA plug-in.

    ARS - AREA - OS— tries to authenticate the user by using the User form, then the AREA plug-in, and then Windows or UNIX authentication.

    Group Mapping

    Specifies mappings between LDAP groups and  groups. This eliminates the need for one-to-one matches between LDAP and  groups. If you do not map groups, each LDAP group must have an exact  group match.

    Tip

    For maximum benefit, use Ignore Excess Groups and Group Mapping together.

    Ignore Excess Groups

    Enables  to authenticate a user when any LDAP group to which the user belongs matches a  group. Non-matching groups are ignored. If Ignore Excess Groups is cleared, authentication occurs only when each LDAP group matches a  group.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*