Configure username and password authentication
The user name and password authentication mechanism authenticates users with their user name and password credentials that are stored in the ISAM user repository. This authentication mechanism uses the user registry configured as part of the runtime component settings. Configure this registry using the mechanism.
Steps
- Log in to the local management interface.
- Click...
AAC > Policy > Authentication > Mechanisms > Username Password > Modify > Properties tab
- Select a property to configure.
- Click Modify .
- Enter the value for that property.
- Click OK.
- Take note of the properties for the mechanism.
- LDAP Bind DN
- An LDAP account with sufficient rights to update the user registry entries. For example:
cn=SecurityMaster,secAuthority=Default
One method for creating such an account is using the pdadmin command. For example:
user create no-password-policy testapi cn=testapi,secAuthority=Default testapi api passw0rd (SecurityGroup ivacld-servers remote-acl-users)
Data type: String
- LDAP Bind Password
- The LDAP bind password.
Data type: String
- LDAP Host Name
- The host name of the LDAP server.
Data type: String
- LDAP Port
- The port number of the LDAP server.
Data type: String
Default: 389
- Management Domain
- The Security Verify Access Management Domain name. This name is used to determine the location of subdomain in the registry. Subdomains are located relative to the Management Domain LDAP location.
Data type: String
Default: Default.
- SSL Enabled
- Set to true to enable SSL to the LDAP server.
Data type: Boolean
Default: False.
- SSL Trust Store
- The keystore containing trusted CA signers for the LDAP server certificate. Specify an SSL trust store if you use one of the following LDAP registry scenarios for user name and password authentication:
- You configure one primary LDAP registry which uses SSL.
- You configure federated directories, where at least one of the directories uses SSL. In this scenario, the Use Federated Directories Configuration property must be set to true.
The trust store specified must be configured to work with any and all of the LDAP registries that use SSL.
Data type: String
- Use Federated Directories Configuration
- Set to true to use the configured federated directories when authenticating a user name and password. If we specify true:
- The LDAP Host Name and LDAP Port properties must define a Security Verify Access user registry. This is typically the user registry of the runtime component.
- The users in any of the additional federated directories we configure must exist in the user registry of the runtime component. Therefore, import these users, if necessary.
Data type: Boolean
Default: false.
- User Search Filter
- An LDAP search filter that selects any native user entry.
Data type: String
Default: (|(objectclass=ePerson)(objectclass=Person)).
- Maximum Server Connections
- The maximum number of connections that can exist on the LDAP server. Valid values are 2 though 4096.
Data type: Integer
Default: 16.
- Login Failures Persistent
- Login failures are used with the three-strikes policy. If we set this option to false, each process that uses this API stores the number of login failures in memory. If we use multiple appliances in a cluster, the total number of login failures to trigger a strike-out might vary. If we set this option to true, the strike count is stored in LDAP and shared across all servers. An accurate count can be kept in a multiserver environment.
Data type: Boolean
Default: False.
- Click the Attributes tab.
- Complete any of the following tasks.
Add an attribute. Complete the Registry Attribute, Context Name, Context Namespace fields for the attribute. Modify an attribute. Modify the Registry Attribute, Context Name, Context Namespace fields for the attribute. Delete an attribute. Select an attribute and click delete. By default, this mechanism uses the following attributes. These registry attributes are retrieved from the user account in the user registry and are stored in the Session context with the context name and name space.
Registry Attribute Context Name Context Namespace emailAddress urn:ibm:security:authentication:asf:mechanism:password mobile mobileNumber urn:ibm:security:authentication:asf:mechanism:password - Click Save.
What to do next
When we configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.Parent topic: Authentication