Directory Backend (Deprecated)

Edit online

The UM server can make use of a variety of backend Directory servers or mechanisms, as controlled by the Nirvana.directory.provider system property, which specifies the pluggable Java class representing the Directory.

Usernames are case-sensitive and are used in the form supplied to do the Directory lookup. This is the authentication step, and is followed by an authorization step in which the username is normalized to lowercase to match against Nirvana ACLs. Nirvana ACLs are case-insensitive but expressed in lower-case and any ACLs created via the Enterprise Manager will be forced to lower case.

Internal User Repository

Edit online

If the Nirvana.directory.provider system property is set to com.pcbsys.foundation.security.auth.fSAGInternalUserRepositoryAdapter, then usernames will be looked up in a standard Software AG store called the 'Internal User Repository', which is a flat file maintained by the SAG command-line utility internaluserrepo.bat (Windows platforms) or internaluserrepo.sh (UNIX platforms), located in <InstallDir>/common/bin.

This mechanism is the default user repository if the Nirvana.directory.provider property is not set.

The location of the file containing the user repository is given by the system property, Nirvana.auth.sagrepo.path, and would default to ./users.txt (relative to the runtime directory of the UM server), but the Server_Common.conf file shipped with UM overrides this as ../users.txt, locating it in the same <InstallDir>/UniversalMessaging/server/<InstanceName> directory as the licence.xml file. The Server_Common.conf file may of course be edited as usual to move the users.txt file into a location that is shared by all the realms of an installed UM instance.

For related information in this respect, see Server JAAS Authentication with Software AG Security Infrastructure.

LDAP

Edit online

If the Nirvana.directory.provider system property is set to com.pcbsys.foundation.security.auth.fLDAPAdapter, then LDAP will be used as the source of user information.

Interaction with the LDAP server is configured via the following Java system properties:

  • Nirvana.ldap.provider: The LDAP client class - defaults to the JDK's built-in provider, com.sun.jndi.ldap.LdapCtxFactory
  • Nirvana.ldap.url : The address of the LDAP server. This has no default and must be specified, using syntax such as ldap://localhost:389/dc=sag,dc=com
  • Nirvana.ldap.suffix : The suffix to apply to LDAP queries. This has no default and may be null, but if non-null it qualifies the URL above. Eg. Nirvana.ldap.url=ldap://localhost:389/dc=sag and Nirvana.ldap.suffix=dc=com will result in the same effective query root as Nirvana.ldap.suffix=ldap://localhost:389/dc=sag,dc=com when the Nirvana.ldap.suffix property is not set.
  • Nirvana.ldap.rootcreds: The privileged-admin login credentials to use on the LDAP server, in order to perform user queries. There is no default and if not set it means there is no need to specify any such credentials, but if present the format must be username:password.

The remaining system properties relate to the LDAP schema and default to the standard COSINE schema:

  • Nirvana.ldap.attribute.username: This specifies the LDAP attribute which represents the username, and defaults to the standard schema convention of "cn".
  • Nirvana.ldap.attribute.password: This specifies the LDAP attribute which represents the password, and defaults to the standard schema convention of "userPassword".
  • Nirvana.ldap.search.username: This specifies the search expression to use for a given username, and defaults to cn=%U%, where %U% gets substituted by the username.