Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 8 Authentication and Permissions : Users and Groups

Users and Groups
User permissions apply to the activities a user can perform on each destination (topic and queue). Using permissions you can control which users have permission to send, receive, or browse messages for queues. You can also control who can publish or subscribe to topics, or who can create durable subscriptions to topics. Permissions are stored in the access control list for the server.
Groups allow you to create classes of users and control permissions on a more global level. Rather than granting and revoking permissions on destinations to individual users, you can control destination access at the group level. Users inherit any permissions from each of the groups they belong to, in addition to any permissions that are granted to them directly.
Figure 14 illustrates the relationships between users, groups and permissions.
Figure 14 Users, groups, and permissions
Externally-configured users and groups are defined and managed using the external directory. Locally-configured users and groups, as well as the access control list, are configured using any of the administration interfaces (editing configuration files, using the administration tool, or the administration APIs).
 
 
The following sections describe users and groups in EMS.
Users
Users are specific, named IDs that allow you to identify yourself to the server. When a client logs in, the connect request should be accompanied by a username and the password associated with the username.
There is one predefined user, admin, that performs administrative tasks, such as creating other users.
You can create and remove users and change passwords by specifying the users in the users.conf configuration file, using the tibemsadmin tool, or by using the administration APIs. For more information about specifying users in the configuration file, see users.conf on page 271. For more information about specifying users using the tibemsadmin tool, see Chapter 6, Using the EMS Administration Tool. For more information on the administration APIs, see the online documentation.
Groups
Groups allow you to create classes of users. Groups make access control administration significantly simpler because you can grant and revoke permissions to large numbers of users with a single operation on the group. Each user can belong to as many groups as necessary. A user’s permissions are the union of the permissions of the groups the user belongs to, in addition to any permissions granted to the user directly.
You can create, remove, or add users to groups by specifying the groups in groups.conf, using the tibemsadmin tool, or by using the administration APIs. For more information about specifying groups in the configuration file, see groups.conf on page 257. For more information about specifying groups using the tibemsadmin tool, see Chapter 6, Using the EMS Administration Tool. For more information on the administration APIs, see the online documentation.
Configuring an External Directory
You can define user authentication and group information either in EMS server configuration files, or in an external directory (such as an LDAP server).
External User Authentication
EMS can be configured to authenticate users stored in an external directory server, such as an LDAP server.
The parameter user_auth in tibemsd.conf guides the EMS server when authenticating users. When a user attempts to authenticate to the EMS server, this parameter specifies the source of authentication information. This parameter can have one or more of the following values (separated by comma characters):
local—obtain user authentication information from the local EMS server user configuration.
ldap—obtain user authentication information from an LDAP directory server (see the LDAP-specific configuration parameters).
jaas—obtain user authentication information from a custom authentication module (see Extensible Authentication).
Each time a user attempts to authenticate, the server seeks corresponding authentication information from each of the specified locations in the order that this parameter specifies. The EMS server accepts successful authentication using any of the specified sources.
Group Information
Group information stored in an external directory can also be retrieved by the EMS server. Static and dynamic groups are supported and you can configure the EMS server to retrieve either or both.
Administration Commands and External Users and Groups
You can perform administrative commands on users and groups defined either locally (in the EMS server’s local configuration files) or in an external LDAP. Furthermore, you can combine users and groups that are defined in different locations (for example, you can grant and revoke permissions for users and groups defined in an LDAP, or add LDAP-defined users to locally-defined groups).
When you attempt to view users and groups using the show user/s or show group/s commands, any users and groups that exist in external directories have an asterisk next to their names. Users and groups from external directories will only appear in the output of these commands in the following situations:
Therefore, not all users and groups defined in the external directory may appear when the show user/s or show group/s commands are executed. Only the users and groups that meet the above criteria at the time the command is issued will appear.
You can create users and groups with the same names as externally-defined users and groups. If a user or group exists in the server’s configuration and is also defined externally, the local definition of the user takes precedence. Locally-defined users and groups will not have an asterisk by their names in the show user/s or show group/s commands.
You can also issue the delete user or delete group command to delete users and groups from the local server’s configuration. The permissions assigned to the user or group are also deleted when the user or group is deleted. If you delete a user or group that is defined externally, this deletes the user or group from the server’s memory and deletes any permissions assigned in the access control list, but it has no effect on the external directory. The externally-defined user can once again log in, and the user is created in the server’s memory and any groups to which the user belongs are also created. However, any permissions for the user or group have been deleted and therefore must be re-granted.
Using LDAP Directory Servers
You should be able to use EMS with external directory servers that are compliant with LDAP v2 or higher.
The description for tibemsd.conf on page 189 provides the complete list of configuration parameters for configuring an external directory server. Table 46 describes parameter settings for default configurations of popular LDAP servers.
 
ldap_user_base_dn = ou=people, dc=<your_domain_component>, dc=<your_domain_component>
ldap_group_base_dn = ou=groups, dc=<your_domain_component>, dc=<your_domain_component>

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved