Security settings
Access to the Federated Directory Server console is controlled by a set of properties that specify the security settings.
You must specify the security settings in the solution.properties file in the IBM® Security Verify Directory Integrator solution directory. These properties control the access to all of IBM® Security Verify Directory Integrator web applications, such as the Dashboard, REST API, and Federated Directory Server console.
Local and remote users are distinguished by the client IP address in the incoming access request:
- If the IP address belongs to one of the network cards on the system where IBM® Security Verify Directory Integrator is running, it is considered a
localhost
user. - All other IP addresses are considered as remote users.
Access permission for localhost
users is built in with the following credentials:
- User name: admin
- Password: admin
To specify access control and permissions, you can set or modify the following authentication properties:
dashboard.auth=true
Indicates whether users are required to authenticate. Valid values are true if users are required to authenticate or false if no authentication is required.
dashboard.auth.localhost
Indicates the type of authentication that connections from the localhost
must use.
Valid values are:
- properties specifies that property-based authentication must be used.
- none specifies that authentication is not required.
- deny specifies that all connections from
localhost
are denied. - ldap specifies that authentication is done by logging in to an LDAP server and optionally validating group membership.
dashboard.auth.remote
Indicates the type of authentication that remote connections must use.
Valid values are:
- properties specifies that property-based authentication must be used.
- none specifies that authentication is not required.
- deny specifies that all remote connections are denied access, that is, all connections that are not from the
localhost
are denied access. - ldap specifies that authentication is done by logging in to an LDAP server and optionally validating group membership.
{protect}-dashboard.auth.user.username=password
Specifies the user credentials for remote access.
The default user name is admin with password admin:
{protect}-dashboard.auth.user.admin=admin
To specify multiple Federated Directory Server user login accounts, see the following example:
{protect}-dashboard.auth.user.admin=admin
{protect}-dashboard.auth.user.user1=user1passwd
{protect}-dashboard.auth.user.user2=user2passwd
dashboard.auth.ldap.url
Specifies the LDAP server address to use for authenticating the user. This property is used only if you specified ldap as the authentication mechanism.
Enter the LDAP host name, port number, and optionally a search base in the following format:
ldap://host:port\[/search-base\]
For example:
ldap://localhost:10389/ou=system
If the user provides an email address in the user name input field, IBM® Security Verify Directory Integrator first searches for a unique entry in the LDAP server from which it extracts the distinguished name (DN). Otherwise, it is expected that the value that is provided is acceptable to the LDAP server. After IBM® Security Verify Directory Integrator obtains a DN for the user name and the password from the user, it does an LDAP basic authentication with the DN and password.
dashboard.auth.ldap.url.group
Specifies the LDAP server address to use for verifying group membership of the user after authentication. This property is used only if you specified ldap as the authentication mechanism.
Enter the LDAP host name, port number, and optionally a search base in the following format:
ldap://host:port\[/search-base\]
For example:
ldap://localhost:389/cn=group1,ou=groups,ou=system
If you specify this property, an additional authentication step is done after a user's credentials are authenticated against the LDAP repository. It checks that the authenticated user is also a member of the specified group before access is permitted.
You can also configure these properties in the IBM® Security Verify Directory Integrator Dashboard graphical user interface. In the Dashboard window, click Actions > Show Server Details > Security and Connection. For more information, see the IBM® Security Verify Directory Integrator documentation and search for configuring Dashboard security settings.
dashboard.auth.max.age
Defines the maximum duration of an authenticated session in seconds. The default value is 1800 seconds. This parameter can only be configured via the properties file and is not accessible through the Dashboard graphical user interface.