The user information used for user authentication is stored in the user information repository. The integrated user management framework authenticates the user based on the user information stored in the user information repository of the LDAP directory server, and then passes the authenticated user information to the application. The user authentication library is used to reference the user information in the user information repository. The following figure shows the DIT structure of the user information repository.

Figure 5-8 DIT structure of the user information repository

Create a user information repository for each managed realm.

(a) Realms

Specify a JAAS-based user management realm name. The realm name must conform to the guidelines specified in the following table:

Table 5-2 Realm name guidelines

Type of information	Meaning	Grammar
Realm name	The identifier that indicates the scope of user management	A string of alphanumeric characters Not case sensitive Specify the name that can be used in the DN.

Note: A string of alphanumeric characters means a sequence of alphabetical characters (A to Z and a to z) and numbers (0 to 9). Use ASCII characters in realm names. (The program does not check the grammar.)

(b) Application-specific Information

Use this repository to store the information that is specific to the application using the realm, when necessary. This does not contain information necessary for the integrated user management framework.

(c) User authentication library base DN

This is an upper entry of the user entry belonging to the realm. Each user entry belonging to the realm must be below this level. If the user entry is not immediately below this entry, the com.cosminexus.admin.auth.ldap.search.scope option in ua.conf (the integrated user management configuration file) must be changed. The information specified in this entry must also be specified in jaas.conf (the JAAS configuration file). For details about the configuration files, see 14.2 jaas.conf (JAAS configuration file).

(d) User entry

This defines the user information. In the user authentication library, the attributes listed in the following table must be contained in the user information.

Table 5-3 Necessary attributes in user information

Attribute name	Description	Necessity
User ID	Stores the user ID; the attribute must be a character string (such as cis). By default, the uid attribute name is used.	Required
Password	Stores the password; the attribute is binary. The values are either stored in plain text or encrypted. If no values are specified for this attribute, the account will be invalid. By default, the userPassword attribute name is used.	Optional
Other attributes	Defined by each application	Follow the application specifications.

The user ID and password attribute names can be changed in jaas.conf (the JAAS configuration file).

(e) Notes

The directory structure of the user information repository conforms to the DIT structure recommended in the JAAS-based user management. When a different structure is used for management, the user entry that meets the following conditions must be created under the "user authentication library base DN".

• The user ID and password must be in the same object class.
• The password must be binary. In addition, it is recommended that the password values be encrypted. When the values are stored in plain text, export them to an .ldif file format, encrypt the file with the convpw command, and then register the encrypted values as the password. For details about the convpw command, see convpw (Password encryption).
• Although the user ID and password can have the same attribute name in the multi-value format, the Cosminexus system allows only one attribute name in one object class. If there is more than one attribute name, the one detected first is used.
• The user ID attribute used as the user ID must be unique in the realm (at all the levels below the user information repository base DN).

The user information repository base DN and the attribute names of the user ID and password are specified in ua.conf (the integrated user management configuration file). To learn more about ua.conf, see 14.3 ua.conf (integrated user management configuration file).

The integrated user management framework authenticates users based on the user information stored in the database. In the database, ensure that the passwords can be retrieved based on the user IDs.

The single sign-on information repository stores the system authentication and mapping information used to authenticate single sign-on users. The integrated user management framework implements single sign-on by mapping users based on the user information stored in the single sign-on information repository of the LDAP directory server. The user information in the single sign-on information repository can be referenced by using the single sign-on library. The following figure shows the DIT structure of the single sign-on information repository.

Figure 5-9 DIT structure of the single sign-on information repository

(a) Single sign-on information repository base DN

This is the uppermost entry of the DIT, which manages the necessary information for single sign-on. This entry is specified in ua.conf (the integrated user management configuration file). To learn more about ua.conf, see 14.3 ua.conf (integrated user management configuration file). The file is not case sensitive. The specified values are set to the ou attribute of the standard object class, organizationalUnit.

(b) Realms

The user information is managed per realm. The realm name in the single sign-on information repository is not case sensitive. The specified values are set to the ou attribute of the standard object class, organizationalUnit.

(c) User entry

This is the entry used to store the user authentication information and destination used for user management and the applications that can be accessed via single sign-on. The following figure shows the user entry structure.

Figure 5-10 User entry structure

Administration identifier

This is the identifier that is automatically set when a user entry is registered in the single sign-on library.

User ID

A unique user ID is specified for each realm by using a character string. The user ID is case sensitive.

Encrypted data

This stores the data that needs to be encrypted at the time of registration. For example, the password is encrypted when stored in this attribute.

Non-encrypted data

This stores the necessary information for authentication other than the user ID and the encrypted data that does not need to be encrypted. For example, the user group ID is stored here.

DN of the user entry of the application with user management

This stores the destination (DN) of the user authentication information of the application with user management, which the user can access via single sign-on. It can have more than one value.