Configure multiple authenticating attributes

The following procedure provides a general list of steps to follow for configuring your application server so that users can log in using both shortname and distinguished name. You must first configure the Content Engine application server's authentication parameters, and then configure the Content Engine authorization parameters. Then, in some cases, you must also configure the Application Engine authentication parameters.

NOTE  You can carry out this procedure before or after installing Content Engine and Application Engine. If you have already installed and configured Content Engine, then Configuration Manager has already configured your application server's authentication parameters for one authenticating attribute, for example, using shortname (cn).

The following procedures use the terms shortname and longname which typically map to the following specific LDAP attributes:

Directory Server

typical shortname equivalent

typical longname equivalent

Active Directory sAMAccountName userPrincipalName or DN
Sun uid DN
Novell cn DN
IBM cn DN

To configure for multiple authenticating attributes (shortname and distinguished name)

  1. Log in to the Content Engine application server as an administrator.
  2. Do the following, depending on your application server:
    1. WebSphere - In the profile containing Content Engine:
      1. Set the user filter to:
        (&(|(shortname=%v)(longname=%v))(objectcategory=user))
      2. Set the User ID Map to:
        user:shortname;user:longname
    2. WebLogic - In the domain containing Content Engine:
      1. Create two authentication providers, one using shortname and another using longname.
    3. JBoss - In the JBoss server containing Content Engine:
      1. Edit login-config.xml to allow both types of login. The following example provides a general idea. Notice, in the two versions of the <authentication> section, the different entries for baseFilter and roleFilter:

        - <application-policy name="ibm">
          - <authentication>
            - <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
            <module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="allowEmptyPasswords">false</module-option>
            <module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
            <module-option name="bindCredential">test1</module-option>
            <module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="baseFilter">(longname={0})</module-option>
            <module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="roleFilter">(longname={0})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleRecursion">-1</module-option>
          </login-module>
        - <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
            <module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="allowEmptyPasswords">false</module-option>
            <module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
            <module-option name="bindCredential">test1</module-option>
            <module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="baseFilter">(shortname={0})</module-option>
            <module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="roleFilter">(shortname={0})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleRecursion">-1</module-option>
          </login-module>
          </authentication>
        </application-policy>

        CAUTION   When using JBoss 4.0.5, if CN=Users is missing from the rolesCtxDN tag, you will not be able to log on to Enterprise Manager, which will throw an incorrect user name/password exception.

  3. Restart the application server.
  4. Log in to Enterprise Manager as a GCD administrator.
    1. Right-click the Enterprise Manager Root Folder, and then click Properties.
    2. Click the Directory Configuration tab.
    3. Select the directory configuration entry and click Modify if you changed an existing authentication configuration.
    4. Click Add if you added a new authentication configuration and complete the Create a Directory Configuration Wizard using the same values you just entered into the application server's authentication configuration.
    5. Make the same changes you made in your application server.
  5. If your authentication design requires that the Application Engine application server's authentication parameters exactly match those of the Content Engine application server, log in to the Application Engine application server as an administrator.
    1. Make the same authentication changes on the Application Engine application server that you made for the Content Engine server.

      If your Application Engine software is installed on a different type of application server than the Content Engine application server (only supported when using Web Services transport) between Application Engine and Content Engine, achieving an exact match of multiple login configuration might require experimentation and careful testing.