Configure multiple authenticating attributes

The following procedure provides a general list of steps to follow for configuring your application server so that users can login using both shortname and distinguished name. You must first configure the Content Engine (CE) application server's authentication parameters, then CE's authorization parameters. Then - in some cases - you must also configure the Application Engine's (AE) authentication parameters.

NOTE  You can carry out this procedure before or after installing CE and AE. If you have already installed and configured CE, then Configuration Manager has already configured your application server's authentication parameters for one authenticating attribute, for example, using shortname (cn).

The following procedures use the terms shortname and longname which typically map to the following specific LDAP attributes:

Directory Server

typical shortname equivalent

typical longname equivalent

Active Directory sAMAccountName userPrincipalName or DN
Sun uid DN
Novell cn DN
IBM cn DN

To configure for multiple authenticating attributes (shortname and distinguished name)

  1. Logon to CE's application server as an administrator.
  2. Do the following, depending on your application server:
    1. WebSphere - In the profile containing Content Engine:
      1. Set the user filter to:
        (&(|(shortname=%v)(longname=%v))(objectcategory=user))
      2. Set the User ID Map to:
        user:shortname;user:longname
    2. WebLogic - In the domain containing CE:
      1. Create two authentication providers, one using shortname and another using longname.
    3. JBoss - In the JBoss server containing CE:
      1. Edit login-config.xml to allow both types of login. The following example provides a general idea. Notice, in the two versions of the <authentication> section, the different entries for baseFilter and roleFilter:

        - <application-policy name="ibm">
          - <authentication>
            - <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
            <module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="allowEmptyPasswords">false</module-option>
            <module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
            <module-option name="bindCredential">test1</module-option>
            <module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="baseFilter">(longname={0})</module-option>
            <module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="roleFilter">(longname={0})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleRecursion">-1</module-option>
          </login-module>
        - <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
            <module-option name="java.naming.provider.url">ldap://yourURL:389</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="allowEmptyPasswords">false</module-option>
            <module-option name="bindDN">cn=test1,CN=Users,DC=yourDC</module-option>
            <module-option name="bindCredential">test1</module-option>
            <module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="baseFilter">(shortname={0})</module-option>
            <module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option>
            <module-option name="roleFilter">(shortname={0})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleRecursion">-1</module-option>
          </login-module>
          </authentication>
        </application-policy>

        CAUTION   When using JBoss 4.0.5, if CN=Users is missing from the rolesCtxDN tag, you will not be able to log on to Enterprise Manager, which will throw an incorrect user name/password exception.

  3. Restart the application server.
  4. Logon to EM as a GCD administrator.
    1. Right-click the EM Root Folder, and then click Properties.
    2. Click the Directory Configuration tab.
    3. Select the directory configuration entry and click Modify if you changed an existing authentication configuration.
    4. Click Add if you added a new authentication configuration and complete the Create a Directory Configuration Wizard using the same values you just entered into the application server's authentication configuration.
    5. Make the same changes you made in your application server.
  5. If your authentication design requires that AE's application server's authentication parameters exactly match those of CE's application server, logon to AE's application server as an administrator.
    1. Make the same authentication changes on your AE's application server that you made for CE.

      If your AE is installed on a different application server type than CE (only supported when using Web Services transport) between AE and CE, achieving an exact match of multiple login configuration might require experimentation and careful testing.