Authenticating the user
About this task
Use the following properties to define how the user is authenticated when they attempt to log on to the IBM® BigFix® Remote Control server. To configure the following sections use the LDAP browser as described for each parameter, to derive the correct settings.
- ldap.digest
- Digest algorithm that is used by LDAP. Values are SHA, MD2, or MD5 only. The default is
cleartext. If the LDAP servers returns a password, IBM BigFix Remote Control uses the Digest
algorithm to encrypt the user input password and compare it with the password it receives from the
LDAP server. If no password is returned from the LDAP server, IBM BigFix Remote Control uses the user
name and password that is provided by the end user to authenticate with LDAP.
ldap.digest=SHA - ldap.userid
- ldap.userid is the LDAP attribute that contains the user ID that is mapped
to the userid field in the IBM BigFix Remote Control database. The
userPrincipalPattern property then needs to know whether the
@domainname, UPN suffix, is added for Active Directory authentication.
- sAMAccountName
- sAMAaccount must be used so that the user ID only portion of the logon, without the UPN Suffix, is used.
- userPrincipalName
- userPrincipalName must be used to force all logons to use the full User Principal Name. Note: It is recommended to set ldap.userid to this value to ensures that it does not contain any invalid characters. For example, an apostrophe.
The ldap.userid relates to other configuration values in the ldap.properties file.
For example, if the ldap.userid is set to userPrincipalName, the user must log on to IBM BigFix Remote Control with their full ID. For example, awilson@example.com.
- The ldap.userSearch variable would be (userPrincipalName={0}).
- The ldap.principalPattern would be {0}.
If the ldap.userid is set to use sAMAccountName, the user must log on to IBM BigFix Remote Control with just the user ID part of their ID. For example, awilson. The following parameters must be set so that the fully qualified name is appended.
For example
- The ldap.userSearch variable would be
(userPrincipalName={0}@mydomain.mycompany.com)
For a user awilson@example.com, the ldap.userSearch variable would be (userPrincipalName={0})
- The ldap.principalPattern would be {0}@mydomain.mycompany.com.
For a user awilson@example.com, the ldap.principalPattern would be {0}@example.com.
- ldap.userPassword
- The name of the LDAP attribute in the user's directory entry that contains the user's password.
In Active Directory, password is the default name of the attribute.
ldap.userPassword=password - ldap.userEmail
- The name of the LDAP attribute in the user's directory entry that contains the user's email
address. Note: The ldap.userEmail property cannot have a null value. If your Active Directory Tree does not contain email information, a different attribute must be used. For example, ldap.userEmail might be set to userPrincipalName.
- ldap.userRealm
- Realm name that is used for user authentication. This setting is optional and can be commented
out, in the ldap.properties file, for most configurations.
ldap.userRealm=users.company.domain.com - ldap.principalPattern
- Pattern for construction of user principal for using LDAP authentication. Some LDAP servers require email address, for example, userid@domain.com and others require the user ID only. The string “{0}" is substituted by the users user ID entered at the login screen.