realm-name {
com.borland.security.provider.authn.BasicLoginModule authentication-requirements-flag
DRIVER=driver-name
URL=database-URL
TYPE=basic|tomcat
LOGINUSERID=user-name
LOGINPASSWORD=password
[USERTABLE=user-table-name]
[GROUPTABLE=group-table-name]
[GROUPNAMEFIELD=group-name-field-of-GROUPTABLE]
[PASSWORDFIELD=field-name]
[USERNAMEFIELDINUSERTABLE=field-name]
[USERNAMEFIELDINGROUPTABLE=field-name]
[DIGEST=digest-name]
};
Fully-qualified class name of the database driver to be used with the password backend. For example, com.borland.datastore.jdbc.DataStoreDriver Note: If this property is set to “TOMCAT,” all other properties in square braces (“[..]”) must also be set. Since passwords should never be stored in clear text, VisiSecure always performs digest on the password and stores the result in a database. The digesttype option defines the digest algorithm for this. By default, an SHA algorithm is used for basic-typed schema, while MD5 is used for tomcat-typed schema. You can change it by including and setting a digesttype option. In the case the corresponding digest type engine cannot be found by the JVM, SHA is used instead. If an SHA engine cannot be found either, the authentication will always fail.realm-name {
com.borland.security.provider.authn.JDBCLoginModule authentication-requirements-flag
DRIVER=driver-name
URL=database-URL
[DBTYPE=type]
USERTABLE=user-table-name
USERNAMEFIELD=user-name-field-of-USERTABLE
ROLETABLE=role-table-name
ROLENAMEFIELD=field-name
USERNAMEFIELDINROLETABLE=field-name
};
Fully-qualified class name of the database driver to be used with the realm. For example, com.borland.datastore.jdbc.
DataStoreDriver The field name in USERTABLE containing the usernames. Field name in ROLETABLE where role information is stored. The username field name in the ROLETABLE. realm-name {
com.borland.security.provider.authn.LDAPLoginModule authentication-requirements-flag
INITIALCONTEXTFACTORY=connection-factory-name
PROVIDERURL=database-URL
SEARCHBASE=search-start-point
USERATTRIBUTES=attribute1, attribute2, ...
USERNAMEATTRIBUTE=attribute
QUERY=dynamic-query
};
The URL to the LDAP server of the form ldap://<servername>:<port> . This attribute represents what the user types in as the username. If set to uid, it would allow users to type their uid when asked for a username. If set to mail, it would allow users to type their email when asked for a user name. When set to DN, users will type their full DN to authenticate themselves. The Query option provides a mechanism to dynamically query the LDAP for other information and represent the results as attributes. For example, a user can be a member of a set of groups. It is useful to extract this information as the GROUP attribute so that it can be used in rules in the authorization domain. To achieve this, you can specify a query. Queries are of the format:The suffix can be anything that uniquely identifies this entry and there can be any number of queries specified. To insert the user's DN as part of the query, you should use {0}. The LDAPLoginModule will then replace the {0} with the actual DN of the user. For example, to query groups and store the results in the GROUP attribute, you say:This will select all the groups (whose ou attribute has the value groups) that the user belongs to whose uniquemember attribute contains the user's DN, then stores the CN of the objects returned as the result as the values for the GROUP attribute for that user. If the attribute name specified is ROLE, then this attribute's treatment is exactly like that of the JDBCLoginModule. This mechanism can be used to store user roles in LDAP.realm-name {
com.borland.security.provider.authn.HostLoginModule authentication-requirements-flag;
};The HostLoginModule shipped with VisiSecure for UNIX platforms utilizes simple APIs that are uniform on most UNIX platforms. This is defined in the POSIX standard header file pwd.h. Advanced shadow password APIs are available for deployments that demand higher security measures. However, one problem associated with this is that the process calling the APIs must run as root. Since the APIs are not in POSIX standard, the login module code is less portable.To write your own custom login module, refer to the ‘customlogin’ example in the VisiSecure example folder. You may then incorporate shadow password APIs in your custom login module. These APIs are available in the system header file shadow.h. Please consult your system manual to find out more about them.As a first step, create and configure the database to store users and roles. Micro Focus provides the userdbadmin tool, run from the command line, to auto-create the required tables, create groups, and associate users with groups.The userdbadmin tool is a command-line tool that can be used to create and manage user databases for the BasicLoginModule. The userdbadmin uses a proprietary schema and can be pointed at any database. Using this tool, you can administer users who can be authenticated using Basic login modules. Though the tool and BasicLoginModule work using various JDBC databases, it is still recommended that you use JDataStore which is shipped with VisiBroker.To facilitate the use of popular databases, the userdbadmin tool comes pre-configured to recognize database urls and to configure itself to use the appropriate drivers.If you do not provide driver information and userdbadmin does not recognize the database, it will prompt for this information. Once it has successfully acquired this information, it will write this information into a file called .userdbadmin.config in the directory corresponding to the user.home system property or to the file specified by the -config command line option.Future users of userdbadmin will read the config file from either the user.home directory or from the file specified by the -config option and will recognize the new database configuration, so you do not need to type the driver information every time.Launch userdbadmin in an interactive mode with the created database. The interactive mode helps you to issue multiple commands. To do this, enter the command as given below at the command prompt.In Example 1, you added a user whose name is Krish and password krishpwd and added him as a member of the group called accountant.In Example 2, you added a user whose name is bill and password billpwd and added him as a member of the group called clerk.To list existing users in the database, type ‘listusers’ in the command line to list all the users and their groups:To list all groups and their membership, enter listgroup at the command prompt.To create new groups and their membership, enter addgroup at the command prompt.You can check the newly added group by running the command listgroup. The newly added groups dba and admin would be listed.You can check the newly added user by running the command listusers. The newly added group memberships would be listed.You can check the newly removed group by running the command listusers. The newly removed group accountant will not be listed.You can check the newly added user by running the command listusers. The newly added user jack would be listed.To remove the group from the user, enter the command leavegroup at the command prompt.You can check the newly removed user by running the command listusers. The user krish would be listed without the removed membership.To remove the user from the group, enter the command removeuser at the command prompt.You can check the newly removed user by running the command listusers. The newly removed user would be listed.