Security settings - Federated Directory Server
Access to the Federated Directory Server console is controlled by a set of properties that specify the security settings.
You must specify the security settings in the solution.properties file in the Security Directory Integrator solution directory. These properties control the access to all of SDI web applications, such as the Dashboard, REST API, and Federated Directory Server console. Local and remote users are distinguished by the client IP address in the incoming access request:
- If the IP address belongs to one of the network cards on the system where SDI is running, it is considered a localhost user.
- All other IP addresses are considered as remote users.
Access permission for localhost users is built in with the following credentials:
- User name: admin
- Password: admin
To specify access control and permissions, we can set or modify the following authentication properties:
- dashboard.auth=true
- Indicates whether users are required to authenticate.
- Valid values are true if users are required to authenticate or false if no authentication is required.
- dashboard.auth.localhost
- Indicates the type of authentication that connections from the localhost must use.
- Valid values are:
- properties specifies that property-based authentication must be used.
- none specifies that authentication is not required.
- deny specifies that all connections from localhost are denied.
- ldap specifies that authentication is done by logging in to an LDAP server and optionally validating group membership.
- dashboard.auth.remote
- Indicates the type of authentication that remote connections must use.
- Valid values are:
- properties specifies that property-based authentication must be used.
- none specifies that authentication is not required.
- deny specifies that all remote connections are denied access, that is, all connections that are not from the localhost are denied access.
- ldap specifies that authentication is done by logging in to an LDAP server and optionally validating group membership.
- {protect}-dashboard.auth.user.admin=admin
- Specifies the user as admin with password admin.
- dashboard.auth.ldap.url
- Specifies the LDAP server address to use for authenticating the user. This property is used only if you specified ldap as the authentication mechanism.
- Enter the LDAP host name, port number, and optionally a search base in the following format:
- ldap://host:port [/search-base]
- For example:
- ldap://localhost:10389/ou=system
- If the user provides an email address in the user name input field, SDI first searches for a unique entry in the LDAP server from which it extracts the distinguished name (DN). Otherwise, it is expected that the value provided is acceptable to the LDAP server. After SDI obtains a DN for the user name and the password from the user, it does an LDAP basic authentication with the DN and password.
- dashboard.auth.ldap.url.group
- Specifies the LDAP server address to use for verifying group membership of the user after authentication. This property is used only if you specified ldap as the authentication mechanism.
- Enter the LDAP host name, port number, and optionally a search base in the following format:
- ldap://host:port [/search-base]
- For example:
- ldap://localhost:389/cn=group1,ou=groups,ou=system
- After the user is authenticated through LDAP, we can use this property to apply an additional group membership test before it allows access to the user.
We can also configure these properties in the SDI Dashboard graphical user interface. In the Dashboard window, click Actions > Show Server Details > Security and Connection. See the SDI documentation and search for configuring Dashboard security settings.
Parent topic:
Accessing the Federated Directory Server console