Skip to end of metadata
Go to start of metadata
This command controls user authentication. Use it to configure an external authentication service, such as LDAP or Active Directory.

auth and authentication are the same command and can be used interchangeably.

Overview

By default, SuperSTAR is configured to use the built-in local authentication service (STRLocal). Use the auth command to configure SuperADMIN to connect instead to an external authentication service such as LDAP or Active Directory.

There are three steps involved in setting up external authentication:

  1. Use the auth command to add a new authentication service.
  2. Configure the authentication service.
  3. Activate the authentication service.

See below for the complete list of available commands, or see these instructions explaining how to configure authentication to an LDAP or Active Directory server.

Usage

UsageDescription
auth providers

Displays details of all the available authentication providers.

  • STRLocal is the built-in local authentication service. This will always be available to ensure that you can always login to the system regardless of whether any external service is running. It is also available so that you can complete the initial configuration.
  • Other available providers include Active Directory, eDirectory, and LDAP.
  • The ExternalJAASModule provider allows you to create your own JAAS (Java authentication and authorisation service) module to integrate with other types of external authentication systems. For more information, see the sample code in the etc\samples directory in your installation. This sample code explains how to create a custom authentication module that can be integrated with SuperADMIN.

auth add <provider> <service_name>

Creates a new authentication service based on one of the available authentication providers.

<provider>
The name of the provider. This must exactly match the name of one of the available authentication providers (e.g. LDAP, ActiveDirectory, eDirectory, ExternalJAASModule).
<service_name>
Your chosen name for this authentication service. You will use this name to manage and configure the service in SuperADMIN.
auth services
Displays details of all configured authentication services.
auth <service_name>
Displays the current configuration settings for the specified authentication service.
auth <service_name> active {true|false}
Activates (true) or deactivates (false) the specified authentication service. Use this command to activate your authentication service when you have finished configuring it.
auth <service_name> priority <priority>

Sets the priority for this authentication service.

Each configured service has a priority: the service with the highest priority is tried first. If the login to the service fails, the next service is tried, and so on.

The built-in STRLocal service has a priority of 100, so you should set your external service to have a priority greater than 100. If you are adding multiple authentication services you can use the priority of each one to control the order in which they will be tried.

auth <service_name> id <new_service_name>
Changes the name of the specified service to the new specified name.
auth <service_name> remove
Removes the specified authentication service.
auth <service_name> adminGroup <group>

Sets the name of the group of users who should have administrator rights in SuperADMIN.

If you are using an external authantication provider this will be a group from the external server (only the group name is required; you do not need a full Distinguished Name/DN).

Configuring LDAP, Active Directory and eDirectory

The following commands apply to LDAP, Active Directory, and eDirectory services only.

UsageDescription
auth <service_name> url <url>
Sets the fully qualified domain name of the LDAP, Active Directory or eDirectory server.
auth <service_name> port <port>
Sets the port to use to connect to the LDAP, Active Directory or eDirectory server. This is only required if the server is using a non-standard port.
auth <service_name> basedn <base>
Sets the default base location for LDAP searches. This will be used to search for users or groups if they do not have an explicit basedn assigned.
auth <service_name> group nameattr <attribute>
Sets the name of the attribute in the external authentication service that holds the descriptive name of the group.
auth <service_name> group idattr <attribute>
Sets the name of the attribute in the external authentication service that holds the unique ID of the group (the standard Active Directory value is cn).
auth <service_name> group basedn <base>
Sets the default search location when searching for groups. This is optional. If it is not set then it will use the basedn configured for the service.
auth <service_name> group addbasedn <base>
Adds the specified basedn to the list stored in the group basedn parameter.
auth <service_name> group removebasedn <base>
Removes the specified basedn from the list stored in the group basedn parameter.
auth <service_name> group memberAttr <attribute>

Sets the name of the attribute in the external authentication service that indicates which users are members of the group (the standard Active Directory value is member).

auth <service_name> group groupClass <class>
Sets the class type that will be used to identify groups within the LDAP repository.
auth <service_name> group addfilter <group>
Adds the specified group to the group filter.
auth <service_name> group removefilter <group>
Removes the specified group from the group filter.
auth <service_name> user nameattr <attribute>
Sets the name of the attribute in the external authentication service that holds the descriptive name of the user.
auth <service_name> user idattr <attribute>
Sets the name of the attribute in the external authentication service that holds the unique ID of the user (the standard Active Directory value is sAMAccountName).
auth <service_name> user basedn <base>
Sets the default search location when searching for users. This is optional. If it is not set then it will use the basedn configured for the service.
auth <service_name> user addbasedn <base>
Adds the specified basedn to the list stored in the user basedn parameter.
auth <service_name> user removebasedn <base>
Removes the specified basedn from the list stored in the user basedn parameter.
auth <service_name> user groupAttr <attribute>
Sets the name of the attribute in the external authentication service that indicates which groups the user is a member of (the standard Active Directory value is memberOf).
auth <service_name> user userClass <class>
Sets the class type that will be used to identify groups within the external repository.
auth <service_name> contextlogin {true|false}  
Enables or disables the use of a search login user, to find an initial context for logins.
auth <service_name> contextlogin password <password>

Sets the password to use for the context login. This setting only applies when contextlogin is set to true.

auth <service_name> contextlogin userdn <dn>

Sets the DN for the context login. This setting only applies when contextlogin is set to true.

auth <service_name> qualifieduser {true|false}      

Specifies whether the name entered when a user is attempting to login is a fully qualified DN or a name that must be matched against the idattr set for user accounts.

You are recommended to leave this set to false to allow users to login using their normal login credentials rather than the full LDAP DN.

Configuring ExternalJAASModule

The following commands apply to services using the ExternalJAASModule only.

UsageDescription
auth <service_name> groupprincipalclass <fully_qualified_classname>
Sets the custom JAAS principal that stores the group name.
auth <service_name> userprincipalclass <fully_qualified_classname>
Sets the custom JAAS principal that stores the user name.
auth <service_name> loginmoduleclass <fully_qualified_classname>
Sets the custom login class that implements JAAS Login module.
auth <service_name> pluginImplementationClass <fully_qualified_classname>
Sets the implementation class for the AuthPlugin interface.
auth <service_name> addparameter <param_name> <value>
Adds a custom parameter.
auth <service_name> removeparameter <param_name>
Removes the specified custom parameter.