Configuring username and password authentication

Edit online

The user name and password authentication mechanism authenticates users with their user name and password credentials that are stored in the Verify Identity Access user repository.

Before you begin

This authentication mechanism uses the user registry that is configured as part of the runtime component settings. Ensure that you configured this registry before you use the mechanism. See Managing the runtime component.

Procedure

  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click Username Password.
  6. Click Modify.
  7. Click the Properties tab.
    1. Select a property that you want to configure.
    2. Click Modify.
    3. Enter the value for that property.
    4. Click OK.
  8. Take note of the properties for the mechanism.
    LDAP Bind DN
    An LDAP account with sufficient rights to update the user registry entries. For example: cn=SecurityMaster,secAuthority=Default

    One method for creating such an account is using the pdadmin command. For example: 

    user create no-password-policy testapi cn=testapi,secAuthority=Default  
  testapi api passw0rd (SecurityGroup ivacld-servers remote-acl-users)

    Data type: String

    LDAP Bind Password
    The LDAP bind password.

    Data type: String

    LDAP Host Name
    The host name of the LDAP server.

    Data type: String

    LDAP Port
    The port number of the LDAP server.

    Data type: String

    Default: 389

    Management Domain
    The Verify Identity Access Management Domain name. This name is used to determine the location of subdomain in the registry. Subdomains are located relative to the Management Domain LDAP location.

    Data type: String

    Default: Default.

    SSL Enabled
    Set this option to true to enable SSL to the LDAP server.

    Data type: Boolean

    Default: False.

    SSL Trust Store
    The keystore that contains the trusted CA signers for the LDAP server certificate.

    Specify an SSL trust store if you use one of the following LDAP registry scenarios for user name and password authentication:

    • You configure one primary LDAP registry which uses SSL.
    • You configure federated directories, where at least one of the directories uses SSL. In this scenario, the Use Federated Directories Configuration property must be set to true.

    The trust store you specify must be configured to work with any and all of the LDAP registries that use SSL.

    Data type: String

    Use Federated Directories Configuration
    Set this option to true to use the configured federated directories when authenticating a user name and password.

    If you specify true:

    • The LDAP Host Name and LDAP Port properties must define a Verify Identity Access user registry. This is typically the user registry of the runtime component.
    • The users in any of the additional federated directories you configure must exist in the user registry of the runtime component. Therefore, import these users, if necessary.

    Data type: Boolean

    Default: false.

    User Search Filter
    An LDAP search filter that selects any native user entry.

    Data type: String

    Default: (|(objectclass=ePerson)(objectclass=Person)).

    Maximum Server Connections
    The maximum number of connections that can exist on the LDAP server. Valid values are 2 though 4096.

    Data type: Integer

    Default: 16.

    Login Failures Persistent
    Login failures are used with the three-strikes policy. If you set this option to false, each process that uses this API stores the number of login failures in memory. If you use multiple appliances in a cluster, the total number of login failures to trigger a strike-out might vary.

    If you set this option to true, the strike count is stored in LDAP and shared across all servers. An accurate count can be kept in a multiserver environment.

    Data type: Boolean

    Default: False.

    Last successful login
    If tthis property is enabled, upon a successful authentication using password, the last successful login attribute associated with the user is updated. By default this attribute is part of the secEntity (for full IVIA users). It can be set to a custom attribute. See Authentication service properties.

    Data type: Boolean

    Default: False.

  9. Click the Attributes tab.
  10. Complete any of the following tasks.
    Add attribute
    Add an attribute. Complete the Registry Attribute, Context Name, Context Namespace fields for the attribute.
    Modify attribute
    Modify an attribute. Modify the Registry Attribute, Context Name, Context Namespace fields for the attribute.
    Delete attribute
    Delete an attribute. Select an attribute and click delete.
    By default, this mechanism uses the following attributes. These registry attributes are retrieved from the user account in the user registry and are stored in the Session context with the context name and name space.
    Registry Attribute Context Name Context Namespace
    mail emailAddress urn:ibm:security:authentication :asf:mechanism:password
    mobile mobileNumber urn:ibm:security:authentication: asf:mechanism:password
  11. Click Save.

What to do next

When you configure the mechanism, a message indicates that changes are not deployed. Deploy changes when you are finished. For more information, see Deploying pending changes.