Configure username and password authentication

The user name and password authentication mechanism authenticates users with their user name and password credentials that are stored in the ISAM user repository. This authentication mechanism uses the user registry configured as part of the runtime component settings. Configure this registry using the mechanism.

Steps

  1. Log in to the local management interface.

  2. Click...

      AAC > Policy > Authentication > Mechanisms > Username Password > Modify Modify > Properties tab

  3. Select a property to configure.

  4. Click Modify Modify.

  5. Enter the value for that property.

  6. Click OK.

  7. Take note of the properties for the mechanism.
      LDAP Bind DN

      An LDAP account with sufficient rights to update the user registry entries. For example:

        cn=SecurityMaster,secAuthority=Default

      One method for creating such an account is using the pdadmin command. For example:

        user create no-password-policy testapi cn=testapi,secAuthority=Default testapi api passw0rd (SecurityGroup ivacld-servers remote-acl-users)

      Data type: String

      LDAP Bind Password

      The LDAP bind password.

      Data type: String

      LDAP Host Name

      The host name of the LDAP server.

      Data type: String

      LDAP Port

      The port number of the LDAP server.

      Data type: String

      Default: 389

      Management Domain

      The Security Verify Access Management Domain name. This name is used to determine the location of subdomain in the registry. Subdomains are located relative to the Management Domain LDAP location.

      Data type: String

      Default: Default.

      SSL Enabled

      Set to true to enable SSL to the LDAP server.

      Data type: Boolean

      Default: False.

      SSL Trust Store

      The keystore containing trusted CA signers for the LDAP server certificate. Specify an SSL trust store if you use one of the following LDAP registry scenarios for user name and password authentication:

      • You configure one primary LDAP registry which uses SSL.
      • You configure federated directories, where at least one of the directories uses SSL. In this scenario, the Use Federated Directories Configuration property must be set to true.

      The trust store specified must be configured to work with any and all of the LDAP registries that use SSL.

      Data type: String

      Use Federated Directories Configuration

      Set to true to use the configured federated directories when authenticating a user name and password. If we specify true:
      • The LDAP Host Name and LDAP Port properties must define a Security Verify Access user registry. This is typically the user registry of the runtime component.
      • The users in any of the additional federated directories we configure must exist in the user registry of the runtime component. Therefore, import these users, if necessary.

      Data type: Boolean

      Default: false.

      User Search Filter

      An LDAP search filter that selects any native user entry.

      Data type: String

      Default: (|(objectclass=ePerson)(objectclass=Person)).

      Maximum Server Connections

      The maximum number of connections that can exist on the LDAP server. Valid values are 2 though 4096.

      Data type: Integer

      Default: 16.

      Login Failures Persistent

      Login failures are used with the three-strikes policy. If we set this option to false, each process that uses this API stores the number of login failures in memory. If we use multiple appliances in a cluster, the total number of login failures to trigger a strike-out might vary. If we set this option to true, the strike count is stored in LDAP and shared across all servers. An accurate count can be kept in a multiserver environment.

      Data type: Boolean

      Default: False.

  8. Click the Attributes tab.

  9. Complete any of the following tasks.

      Add attribute Add an attribute. Complete the Registry Attribute, Context Name, Context Namespace fields for the attribute.
      Modify attribute Modify an attribute. Modify the Registry Attribute, Context Name, Context Namespace fields for the attribute.
      Delete attribute Delete an attribute. Select an attribute and click delete.

    By default, this mechanism uses the following attributes. These registry attributes are retrieved from the user account in the user registry and are stored in the Session context with the context name and name space.

    Registry Attribute Context Name Context Namespace
    mail emailAddress urn:ibm:security:authentication:asf:mechanism:password
    mobile mobileNumber urn:ibm:security:authentication:asf:mechanism:password

  10. Click Save.


What to do next

When we configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.

Parent topic: Authentication