An authentication source specifies where (and in some cases how) authentication information is stored. A particular sort of authentication source can support one or more sorts of authentication mechanisms, compatible with the underlying storage of the authentication information; that is, some authentication sources will support only one sort of authentication mechanism, whereas other sources can be able to support additional sorts of authentication mechanisms. For instance, a system password file can only support the PLAIN (plaintext) authentication mechanism. Authentication sources can also support custom configuration options.
Authentication sources are configured via a block of the form
AUTH_SOURCEblock must, however, be used when defining a site specific authentication source, as discussed below in Section 22.214.171.124.
126.96.36.199 Predefined Authentication Sources
The following authentication source names are reserved:
ANONYMOUSThis is used for anonymous access. If you want to specify a username for anonymous users, you can set the
USERoption to the desired user name in the
[AUTH_SOURCE=ANONYMOUS]authentication source definition block; e.g.,
LDAPThe LDAP source is used when authentication verifiers are stored in an LDAPv2 or LDAPv3 or X.500 directory accessed via an LDAPv2 or LDAPv3 server. Currently, the LDAP source only supports the
PLAINmechanism (plaintext passwords) and the
CRAM-MD5mechanism. Note that this authentication source requires setting two options to site-specific values, so in order to use it, you must define it in an
[AUTH_SOURCE=LDAP]section as illustrated below.
[AUTH_SOURCE=LDAP] SERVER=ldap-server-host-name:port BASEDN=distinguished-name
[AUTH_SOURCE=LDAP] SERVER=ldap-server-host-name BASEDN=distinguished-name
portis omitted from the
SERVERoption, then the standard LDAP port (port 389) is assumed. When looking for an authentication verifier in an LDAP directory, PMDF searches for a
uidattribute matching the user name which the user typed and does a bind against the LDAP server with the resulting DN and the user-supplied password. The option
LDAP_VERSIONcontrols whether an LDAPv2 or LDAPv3 query is made. The default, if this option is not specified, is LDAP_VERSION=3, causing PMDF to perform a v3 query, namely perform an anonymous search to translate the user name (
uid) into a DN followed by a v3 simple bind. If querying an LDAPv2 directory, then LDAP_VERSION=2 must be set; this causes PMDF to perform a v2 query (which is less efficient than a v3 query), namely an anonymous bind at the beginning of the session, a search, then a disconnect and reconnect, and then a simple bind.
Sites using this source should make sure for performance reasons that the
uidattribute is indexed on the LDAP server. Also note that this source is not currently suitable for high volume use, as in this implementation each authentication opens a separate connection to the LDAP server. High volume sites should instead use the MSGSTORE authentication source and arrange to keep it synchronized with their LDAP server.
LOGINsource is used to provide the non-standard
LOGINmechanism is similar to
PLAINand offers no additional functionality, but is nevertheless used by some popular clients.) As implemented in PMDF, the
LOGINauthentication source provides the
LOGINmechanism as a shell on top of the
PLAINmechanism from other sources. You must have at least one PLAIN mechanism enabled in order to use the
LOGINauthentication source. For instance:
MSGSTOREThis is the set of user authentication profiles used by the PMDF MessageStore and PMDF popstore. This authentication source currently supports the
PLAINmechanisms. (Note that it always stores the password in a format suitable for use by APOP.) Initial user entries in this authentication source must be generated using PMDF MessageStore or PMDF popstore management utilities; see the PMDF popstore & MessageStore Manager's Guide.
PASSDBInitial user entries in this authentication source must be generated using the
pmdf passwordutility. It currently supports the
POPPROXYThis source is used to authenticate against a POP server. When used with automatic transitioning options, this source can be used to migrate passwords from a POP server to a new source, even if the exact storage of the passwords on the POP server is unknown. Such password transitioning is generally done in conjunction with migration of messages from a POP server to a new message store, such as the PMDF MessageStore, though note that such message migration is an entirely separate process from the password migration. See the discussion of the
pmdf moveinutility in the PMDF popstore & MessageStore Manager's Guide for a discussion of message migration. This source only supports the
PLAINmechanism. In order to use the
POPPROXYsource, you must set the
SERVERoption to tell PMDF the host name of the POP server against which to authenticate, and optionally the port number; if the port number is omitted, then the standard POP port of 110 is assumed. For instance:
SYSTEMThis is the system password file, that is, the SYSUAF file on OpenVMS, or usually
/etc/shadowon UNIX. This authentication source only supports the PLAIN mechanism. Initial user entries in this authentication source must be generated using system utilities. On Tru64 UNIX with C2 security, resetting of login failure counts for system accounts can be enabled by setting
Note that setting the SIA_SES_LAUNCH option incurs a performance penalty.
188.8.131.52 Site Specific Authentication Sources
You can define your own password/authentication source by specifying a
shared image to call. To add an authentication source called
auth-source-name can be an arbitrary alphanumeric
string other than those reserved above, include a block
defining the new authentication source (after all global options) of
the following form. On OpenVMS:
[AUTH_SOURCE=auth-source-name] IMAGE=logical-pointing-to-shared-image FUNCTION=function-entry-point ...
[AUTH_SOURCE=auth-source-name] IMAGE=shared-image-name FUNCTION=function-entry-point ...
[AUTH_SOURCE=auth-source-name] IMAGE=dll-name FUNCTION=function-entry-point ...
IMAGEoption specifies the shared image to use and the
FUNCTIONoption specifies the entry point. Note that on OpenVMS, the
IMAGEvalue must be a system, executive mode logical name translating to the actual shared image; on UNIX, the
IMAGEvalue must be the actual shared image file name; on NT, the
IMAGEvalue must be the name of a dynamic link library (DLL). These options are mandatory for site defined authentication sources. Additional configuration options specific to that authentication source can also be included.
The PMDF authentication services API can be used to add authentication sources; contact Process Software for details.