5.2.4 Management method of user information used for integrated user management

This section describes the management method of user information used for integrated user management.

Integrated user management uses LDAP or database as the repository that stores user information. In the LDAP directory server, DIT is used to manage the user and organization information. The users and realms are managed as the DIT entries in the LDAP directory server used in the integrated user management framework. The entry is the information that constitutes DIT and is the node of DIT. Each entry is identified by a DN (Distinguished Name).

Cosminexus specifies the DIT structure of the standard user management repository stored in the LDAP directory server used in the integrated user management framework. There are two types of repositories used in the integrated user management framework:

User information repository

This stores the user information.
Single sign-on information repository

This stores the authentication and mapping information used by the systems to authenticate single sign-on users by performing user mapping in the integrated user management framework.

These repositories have the directory structures as shown in the following figure.

Figure 5‒7: Repository DIT structure in the integrated user management framework

A description of these repositories follows:

Organization of this subsection

(1) User information repository (in the LDAP directory server)
(2) User information repository (in the database)
(3) Single sign-on information repository

(1) User information repository (in the LDAP directory server)

The user information used for user authentication is stored in the user information repository. The integrated user management framework authenticates the user based on the user information stored in the user information repository of the LDAP directory server, and then passes the authenticated user information to the application. The user authentication library is used to reference the user information in the user information repository. The following figure shows the DIT structure of the user information repository.

Figure 5‒8: DIT structure of the user information repository

Create a user information repository for each managed realm.

(a) Realms

Specify a JAAS-based user management realm name. The realm name must conform to the guidelines specified in the following table:

Table 5‒2: Realm name guidelines
Type of information	Meaning	Grammar
Realm name	The identifier that indicates the scope of user management	A string of alphanumeric characters Not case sensitive Specify the name that can be used in the DN.

Note: A string of alphanumeric characters means a sequence of alphabetical characters (A to Z and a to z) and numbers (0 to 9). Use ASCII characters in realm names. (The program does not check the grammar.)

(b) Application-specific Information

Use this repository to store the information that is specific to the application using the realm, when necessary. This does not contain information necessary for the integrated user management framework.

(c) User authentication library base DN

This is an upper entry of the user entry belonging to the realm. Each user entry belonging to the realm must be below this level. If the user entry is not immediately below this entry, the com.cosminexus.admin.auth.ldap.search.scope option in ua.conf (the integrated user management configuration file) must be changed. The information specified in this entry must also be specified in jaas.conf (the JAAS configuration file). For details about the configuration files, see 14.2.1 jaas.conf (JAAS configuration file).

(d) User entry

This defines the user information. In the user authentication library, the attributes listed in the following table must be contained in the user information.

Table 5‒3: Necessary attributes in user information
Attribute name	Description	Necessity
User ID	Stores the user ID; the attribute must be a character string (such as `cis`). By default, the `uid` attribute name is used.	Required
Password	Stores the password; the attribute is binary. The values are either stored in plain text or encrypted. If no values are specified for this attribute, the account will be invalid. By default, the `userPassword` attribute name is used.	Optional
Other attributes	Defined by each application	Follow the application specifications.

The user ID and password attribute names can be changed in jaas.conf (the JAAS configuration file).

(e) Notes

The directory structure of the user information repository conforms to the DIT structure recommended in the JAAS-based user management. When a different structure is used for management, the user entry that meets the following conditions must be created under the "user authentication library base DN".

The user ID and password must be in the same object class.
The password must be binary. In addition, it is recommended that the password values be encrypted. When the values are stored in plain text, export them to an .ldif file format, encrypt the file with the convpw command, and then register the encrypted values as the password. For details about the convpw command, see convpw (Password encryption).
Although the user ID and password can have the same attribute name in the multi-value format, the Cosminexus system allows only one attribute name in one object class. If there is more than one attribute name, the one detected first is used.
The user ID attribute used as the user ID must be unique in the realm (at all the levels below the user information repository base DN).

The user information repository base DN and the attribute names of the user ID and password are specified in ua.conf (the integrated user management configuration file). To learn more about ua.conf, see 14.2.2 ua.conf (integrated user management configuration file).

To Page Top

(2) User information repository (in the database)

The integrated user management framework authenticates users based on the user information stored in the database. In the database, ensure that the passwords can be retrieved based on the user IDs.

To Page Top

(3) Single sign-on information repository

The single sign-on information repository stores the system authentication and mapping information used to authenticate single sign-on users. The integrated user management framework implements single sign-on by mapping users based on the user information stored in the single sign-on information repository of the LDAP directory server. The user information in the single sign-on information repository can be referenced by using the single sign-on library. The following figure shows the DIT structure of the single sign-on information repository.

Figure 5‒9: DIT structure of the single sign-on information repository

(a) Single sign-on information repository base DN

This is the uppermost entry of the DIT, which manages the necessary information for single sign-on. This entry is specified in ua.conf (the integrated user management configuration file). To learn more about ua.conf, see 14.2.2 ua.conf (integrated user management configuration file). The file is not case sensitive. The specified values are set to the ou attribute of the standard object class, organizationalUnit.

(b) Realms

The user information is managed per realm. The realm name in the single sign-on information repository is not case sensitive. The specified values are set to the ou attribute of the standard object class, organizationalUnit.

(c) User entry

This is the entry used to store the user authentication information and destination used for user management and the applications that can be accessed via single sign-on. The following figure shows the user entry structure.

Figure 5‒10: User entry structure

Administration identifier: This is the identifier that is automatically set when a user entry is registered in the single sign-on library.
User ID: A unique user ID is specified for each realm by using a character string. The user ID is case sensitive.
Encrypted data: This stores the data that needs to be encrypted at the time of registration. For example, the password is encrypted when stored in this attribute.
Non-encrypted data: This stores the necessary information for authentication other than the user ID and the encrypted data that does not need to be encrypted. For example, the user group ID is stored here.
DN of the user entry of the application with user management: This stores the destination (DN) of the user authentication information of the application with user management, which the user can access via single sign-on. It can have more than one value.

To Page Top