5.2.4 Management method of user information used for integrated user management
This section describes the management method of user information used for integrated user management.
Integrated user management uses LDAP or database as the repository that stores user information. In the LDAP directory server, DIT is used to manage the user and organization information. The users and realms are managed as the DIT entries in the LDAP directory server used in the integrated user management framework. The entry is the information that constitutes DIT and is the node of DIT. Each entry is identified by a DN (Distinguished Name).
Cosminexus specifies the DIT structure of the standard user management repository stored in the LDAP directory server used in the integrated user management framework. There are two types of repositories used in the integrated user management framework:
-
User information repository
This stores the user information.
-
Single sign-on information repository
This stores the authentication and mapping information used by the systems to authenticate single sign-on users by performing user mapping in the integrated user management framework.
These repositories have the directory structures as shown in the following figure.
|
A description of these repositories follows:
- Organization of this subsection
(1) User information repository (in the LDAP directory server)
The user information used for user authentication is stored in the user information repository. The integrated user management framework authenticates the user based on the user information stored in the user information repository of the LDAP directory server, and then passes the authenticated user information to the application. The user authentication library is used to reference the user information in the user information repository. The following figure shows the DIT structure of the user information repository.
|
Create a user information repository for each managed realm.
(a) Realms
Specify a JAAS-based user management realm name. The realm name must conform to the guidelines specified in the following table:
Type of information |
Meaning |
Grammar |
---|---|---|
Realm name |
The identifier that indicates the scope of user management |
A string of alphanumeric characters Not case sensitive Specify the name that can be used in the DN. |
Note: A string of alphanumeric characters means a sequence of alphabetical characters (A to Z and a to z) and numbers (0 to 9). Use ASCII characters in realm names. (The program does not check the grammar.)
(b) Application-specific Information
Use this repository to store the information that is specific to the application using the realm, when necessary. This does not contain information necessary for the integrated user management framework.
(c) User authentication library base DN
This is an upper entry of the user entry belonging to the realm. Each user entry belonging to the realm must be below this level. If the user entry is not immediately below this entry, the com.cosminexus.admin.auth.ldap.search.scope option in ua.conf (the integrated user management configuration file) must be changed. The information specified in this entry must also be specified in jaas.conf (the JAAS configuration file). For details about the configuration files, see 14.2.1 jaas.conf (JAAS configuration file).
(d) User entry
This defines the user information. In the user authentication library, the attributes listed in the following table must be contained in the user information.
Attribute name |
Description |
Necessity |
---|---|---|
User ID |
Stores the user ID; the attribute must be a character string (such as cis). By default, the uid attribute name is used. |
Required |
Password |
Stores the password; the attribute is binary. The values are either stored in plain text or encrypted. If no values are specified for this attribute, the account will be invalid. By default, the userPassword attribute name is used. |
Optional |
Other attributes |
Defined by each application |
Follow the application specifications. |
The user ID and password attribute names can be changed in jaas.conf (the JAAS configuration file).
(e) Notes
The directory structure of the user information repository conforms to the DIT structure recommended in the JAAS-based user management. When a different structure is used for management, the user entry that meets the following conditions must be created under the "user authentication library base DN".
-
The user ID and password must be in the same object class.
-
The password must be binary. In addition, it is recommended that the password values be encrypted. When the values are stored in plain text, export them to an .ldif file format, encrypt the file with the convpw command, and then register the encrypted values as the password. For details about the convpw command, see convpw (Password encryption).
-
Although the user ID and password can have the same attribute name in the multi-value format, the Cosminexus system allows only one attribute name in one object class. If there is more than one attribute name, the one detected first is used.
-
The user ID attribute used as the user ID must be unique in the realm (at all the levels below the user information repository base DN).
The user information repository base DN and the attribute names of the user ID and password are specified in ua.conf (the integrated user management configuration file). To learn more about ua.conf, see 14.2.2 ua.conf (integrated user management configuration file).
(2) User information repository (in the database)
The integrated user management framework authenticates users based on the user information stored in the database. In the database, ensure that the passwords can be retrieved based on the user IDs.
(3) Single sign-on information repository
The single sign-on information repository stores the system authentication and mapping information used to authenticate single sign-on users. The integrated user management framework implements single sign-on by mapping users based on the user information stored in the single sign-on information repository of the LDAP directory server. The user information in the single sign-on information repository can be referenced by using the single sign-on library. The following figure shows the DIT structure of the single sign-on information repository.
|
(a) Single sign-on information repository base DN
This is the uppermost entry of the DIT, which manages the necessary information for single sign-on. This entry is specified in ua.conf (the integrated user management configuration file). To learn more about ua.conf, see 14.2.2 ua.conf (integrated user management configuration file). The file is not case sensitive. The specified values are set to the ou attribute of the standard object class, organizationalUnit.
(b) Realms
The user information is managed per realm. The realm name in the single sign-on information repository is not case sensitive. The specified values are set to the ou attribute of the standard object class, organizationalUnit.
(c) User entry
This is the entry used to store the user authentication information and destination used for user management and the applications that can be accessed via single sign-on. The following figure shows the user entry structure.
|
- Administration identifier
-
This is the identifier that is automatically set when a user entry is registered in the single sign-on library.
- User ID
-
A unique user ID is specified for each realm by using a character string. The user ID is case sensitive.
- Encrypted data
-
This stores the data that needs to be encrypted at the time of registration. For example, the password is encrypted when stored in this attribute.
- Non-encrypted data
-
This stores the necessary information for authentication other than the user ID and the encrypted data that does not need to be encrypted. For example, the user group ID is stored here.
- DN of the user entry of the application with user management
-
This stores the destination (DN) of the user authentication information of the application with user management, which the user can access via single sign-on. It can have more than one value.