![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
The authentication setting in the security policy file used by the security domain controller for a metaspace controls how users are authenticated. You can specify two types of user authentication:The basic format of the authentication setting in the security policy file is:If you specify userpwd or x509 for the authentication setting. you must specify source settings to enable the security domain controller to connect to the system that performs the authentication:
• source=system specifies that the security domain controller should use operating system services to authenticate users.
• source=ldap indicates that the security domain controller should connect to and use an LDAP server for authentication.See the following sections for more detailed information on how to configure the authentication settings for operating system or LDAP authentication:You can override the default behavior for retrieving authentication information by using a callback mechanism. If a callback function is available, then when a security domain requestor tries to connect to a metaspace, ActiveSpaces uses the callback function to retrieve the user's authentication information instead of using the default behavior provided by TIBCO ActiveSpaces. See Authentication Callback for more detailed information.To configure the security policy file to perform user name and password authentication using the operating system, set the authentication setting as follows:The service setting specifies the operating system application to use for authentication. Currently this setting is ignored for Windows and is only used for UNIX systems. Specifying service=login causes the UNIX “login” system access application to be used to authenticate security domain requestor users. You can use the service setting to redirect PAM authentication requests to other local authentication applications.To configure the security policy file to perform user name and password authentication with an LDAP server using an unsecure connection to the LDAP server, the authentication setting uses the following format:
•
• host The fully qualified domain name of the LDAP server (for example, ldapsrvr.com).
• plainPort The port on which the LDAP server listens for clear text TCP/IP connections (default: 389).
• baseDN The distinguished name of the parent of the LDAP subtree (for example: dc=users,dc=com).
• hint A message to be displayed to the user as a hint of what they should enter.If connecting to the LDAP server requires a secure connection using SSL/TLS, the authentication setting uses the following format:
•
• host The fully qualified domain name of the LDAP server (for example, ldapsrvr.com).
• securePort The port on which LDAP clients should connect to the LDAP server using SSL/TLS (default: 636)
• truststore A file that contains the secure LDAP server's certificate chain
• baseDN The distinguished name of the parent of the LDAP subtree (for example: dc=users,dc=com).
• hint A message to be displayed to the user as a hint of what they should enter.The authentication information is passed to the security domain controller, which tries to authenticate the user against the LDAP server configured in the security policy file. To configure the security policy file to perform LDAP certificate authentication with an LDAP server, the authentication setting uses the following format:
•
• host The fully qualified domain name of the LDAP server (for example, ldapsrvr.com).
• securePort The port on which LDAP clients should connect to the LDAP server using SSL/TLS (default: 636)
• truststore A file that contains the secure LDAP server's certificate chain
• baseDN The distinguished name of the parent of the LDAP subtree (for example: dc=users,dc=com).
• hint A message to be displayed to the user as a hint of what they should enter.See ASUserAuthenticator for information on each supported programming language to see how the security API is used to implement an authentication callback.
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |