Set up external authentication options and aliases

After you install an AREA plug-in, you can set up the AR System server to use external authentication. The AR System server can authenticate the users externally in the following ways:

Operating system (UNIX only)—The AR System server connects to the operating system to authenticate the users. When connected to the UNIX operating system, the AR Systemdoes not consider the value in the Authentication String.
Server domain (Windows)—The AR System server connects to the Windows server domain to authenticate the users. It picks the value in the Authentication String as the domain name.
AREA service—If you have configured external authentication to an AREA service, the username, password, and authentication values entered are provided to the AREA service.

Before you begin

Configure your server to use plug-ins and start the plug-in server. For more information, see Configuring-a-server-to-use-plug-ins, AR-System-server-components and AR-System-external-utilities.

To set AR System server Administration: external authentication parameters

In a browser, open the AR System server Administration Console, and select System > General > Server Information.
The AR System Administration: Server Information form appears.
Click the EA tab.

Edit the following options, as needed:

Field	Description
External Authentication Server RPC Program Number	Enables an external authentication (AREA) server. The RPC program number for the plug-in service is 390695. Entering no value or 0 disables authentication with an AREA service, and the AR System server accesses the operating system for authentication purposes. You must have an AREA server built and prepared before you set the RPC Socket number here. For information about configuring an AREA LDAP plug-in, see Configuring-the-AREA-LDAP-plug-in.
External Authentication Server Timeout (seconds) > RPC	Sets the time limit (in seconds) within which the plug-in server must respond to the AR System server when making external authentication (AREA) calls before an error is returned. If RPC is set to 0, the AR System server uses the default of 40 seconds.
External Authentication Server Timeout (seconds) > Need To Sync	Sets the interval for periodically invoking the AREA server's AREANeedToSyncCallback() call. If Need to Sync is set to 0, the AR System serverdoes not invoke the call to the external authentication server. The default is 3600 seconds. For more information about the external authentication server, see Configuring-a-server-to-use-plug-ins and .
Authenticate Unregistered Users	Defines how AR System server validates a user who has no record in the User form. When a user logs in to AR System server, the server tries to validate the user against registered users that are listed in the User form. If a match is found, that user definition and the permissions specified in the matching user record are used. If no match is found, AR System server continues trying to validate the user or stops the validation process depending on which of the following options is selected. If the check box is: Selected, and External Authentication is not configured—(Default on UNIX servers) On a UNIX server, AR System server searches the /etc/passwd file or NIS password map for a match. If a match is found, the user is considered a valid user (not a guest) of the system. The UNIX group specification from the file or NIS is retrieved, and the user is considered a member of the AR System server group whose Group ID matches the UNIX group. On a Windows server, AR System server authenticates to the default domain. The optional authentication string that the user enters when logging in is used as the Windows domain name for authentication purposes. On Windows servers, the user is considered a member of the group whose Group ID is 0. Selected, and External Authentication is configured—AR System server sends a request to the external authentication server to authenticate the user. If a match is found, the user is considered a valid user (not a guest user) of the system. For more information, see Configuring-a-server-to-use-plug-ins. The authentication string that the user enters when logging in is passed to the external authenticator for its use. Cleared—(Default on Windows servers) AR System server stops the validation process and manages the user as a guest user if Allow Guest Users is enabled. For more information, see ar-cfg-or-ar-conf-options-A-B. For information about configuring external authentication, see System requirements. .
Cross Reference Blank Password	Defines how AR System server authenticates a user whose User form record has no password. When a user logs in, AR System server searches its own database for that user. If the user has a password, the system uses it. If the Password field is empty, AR System server proceeds to check the Cross Reference Blank Password option as follows: If Selected—AR System server tries to validate the password against one of the following items: An external authenticator if one is configured The password in the Windows server domain The UNIX server's /etc/passwd file If Cleared—(Default) AR System server concludes that an empty password field means that the user has no password. In the Login window, users see an Authentication field. If the AR System server is running on Windows, the contents of this field are used as a domain name when the server authenticates the user with the operating system. If the server is instead configured to use an external authenticator, the contents of this field are passed to the authenticator. For more information, see . If you select Cross-Reference Blank Password, make sure that it does not conflict with the User Password Management feature. If you enforce a password policy, AR System server periodically forces users to set a password that cannot be blank. If a user's password is authenticated outside of AR System server and that user sets a non-blank password, AR System server performs the authentication, provided a password policy is not enforced. If a policy is enforced, you must disable the policy for users that can use a blank password. For more information, see Enforcing a password policy.
Authentication Chaining Mode	Specifies the order in which AR System server tries to authenticate users when they log in: Default—Disables authentication chaining. ARS - AREA—AR System server tries to authenticate the user by using the User form and then the AREA plug-in. AREA - ARS—AR System server tries to authenticate the user by using the AREA plug-in and then the User form. ARS - OS - AREA—AR System server tries to authenticate the user by using the User form, then Windows or UNIX authentication, and then the AREA plug-in. ARS - AREA - OS—AR System server tries to authenticate the user by using the User form, then the AREA plug-in, and then Windows or UNIX authentication.
Group Mapping	Specifies mappings between LDAP groups and AR System server groups. This eliminates the need for one-to-one matches between LDAP and AR System server groups. If you do not map groups, each LDAP group must have an exact AR System server group match. Best practice For maximum benefit, use Ignore Excess Groups and Group Mapping together.
Ignore Excess Groups	Enables AR System server to authenticate a user when any LDAP group to which the user belongs matches an AR System server group. Non-matching groups are ignored. If Ignore Excess Groups is cleared, authentication occurs only when each LDAP group matches an AR System group.

An authentication alias enables you to use an alternate user name (User Name Alias) or an authentication string (Authentication String Alias) when the operating system or an AR System External Authentication (AREA) plug-in is performing the authentication. In addition, the User Name Alias and the Authentication String Alias can independently operate, allowing you to use one or both options.

Configuring the User Name Alias

A User Name Alias is a secondary account name associated with a user and is used only for authentication purposes. The user's primary account name (the login name entered into the User Name field of the Login dialog box of AR System server clients) is used for all other purposes. If a User Name Alias is defined, the AR System server uses it to authenticate the user and password. As an administrator, you can configure the User Name Alias for an account.

The User Name Alias is applicable in the following situations:

When you want the user's full name to be used as the AR System server login instead of the user's computer account name. The system uses the alias when authenticating the user.

When a user's name changes, the user can use the new name to log in to AR System server but continues to use the same computer account name for authentication purposes.

When a user's computer account or domain name is subject to changes. Leveraging an alias enables the user to continue using the same user name to log in throughout the changes.

To configure the User Name Alias

Add a character field to the User form in Developer Studio.
Name it Authentication Login Name, and set the field's properties as follows:
Field property
Field
Name
Authentication Login Name
Field ID
117
Data Type
Character
Database Length
30

Field property	Field
Name	Authentication Login Name
Field ID	117
Data Type	Character
Database Length	30

You can set any permissions, including whether the values are optional or required. You can also create workflow to populate and validate the values in this field. Be cautious when setting permissions.

The information in the Authentication Login Name field is accessed when the user logs in to a AR System server client and the following conditions apply:

Cross-Reference Blank Password is configured on the AR System server. For more information, see Cross-referencing blank passwords.
The Password field on the User form is empty.
One of the following external authentication methods is used:
- An AREA plug-in
- A Windows domain server (when the AR System server is running on a Windows platform)
- A UNIX password resolution (when the AR System server is running on a UNIX platform)

Additional information about the fields used to configure user name alias

The Authentication Login Name field on the User form interacts with the User Name field in the Login dialog box according to the following rules:

If the Authentication Login Name field is present on the User form, the value in this field is used for authentication instead of the name entered in the User Name field in the Login dialog box.
For backwards compatibility, if the Authentication Login Name field is not present on the User form or the value in this field is NULL, the user is authenticated with the information entered in the User Name field in the Login dialog box.
On the LDAP server, the values in the Authentication Alias Name field and the User Login Name field must be the same.
To log in to the AR System server:
- - You must use the value of the Login Name field on the User form.
  - You must use the password that you have set for the Authentication Alias Name field on the LDAP server.

These rules apply to all AR System server clients, including those accessing a AR System server by using C or Java APIs.

Configuring the Authentication String Alias

When an Authentication String Alias is defined, it overrides any entry in the Login dialog box of the AR System server client. The Authentication String Alias can be used to identify the correct authentication domain for the user.

Use the Authentication String Alias in the following situations:

When users belong to specific authentication domains and you do not want to require users to enter an authentication string when they log in.
When a user's computer account or domain name is subject to changes. Leveraging an Authentication String Alias enables the user to continue using the same user name to log in throughout the changes.

To configure the Authentication String Alias

Add a character field to the User form in Developer Studio.
Name it Authentication String. Set the field's properties as follows:
Field property
Field
Name
Authentication String
Field ID
118
Data Type
Character
Database Length
255

Field property	Field
Name	Authentication String
Field ID	118
Data Type	Character
Database Length	255

You can set any permissions, including whether the values are optional or required. You can also create workflow to populate and validate the values in these fields. Be cautious when setting permissions.

The information in the Authentication String field is accessed when the user logs in to an AR System server client and the following conditions apply:

Cross-Reference Blank Password is configured on the AR System server. For more information, see Cross-referencing-blank-passwords for more information.
The Password field on the User form is empty.
One of the following external authentication methods is used:
- An AREA plug-in
- A Windows Domain server when the AR System server is running on a Windows platform
- A UNIX password resolution when the AR System server is running on a UNIX platform
  
  Login dialog box

The Authentication String Alias field on the User form interacts with the Authentication field in the Login dialog box according to the following rules:

The value in the Authentication String field on the User form is used instead of the entry in the Authentication field in the Login dialog box.

For backwards compatibility, if the Authentication String Alias field is not present on the User form or the value in this field is NULL, the information entered in the Login dialog box is used for authentication.