auth, authentication
This command controls user authentication. Use it to configure an external authentication service, such as LDAP or Active Directory.
auth
and authentication
are the same command and can be used interchangeably.
Overview
By default, SuperSTAR is configured to use the built-in local authentication service (STRLocal). Use the auth
command to configure SuperADMIN to connect instead to an external authentication service such as LDAP or Active Directory.
There are three steps involved in setting up external authentication:
- Use the
auth
command to add a new authentication service. - Configure the authentication service.
- Activate the authentication service.
See below for the complete list of available commands, or see these instructions explaining how to configure authentication to an LDAP or Active Directory server.
Usage
Usage | Description | ||||||
---|---|---|---|---|---|---|---|
auth providers | Displays details of all the available authentication providers.
| ||||||
auth add <provider> <service_name> | Creates a new authentication service based on one of the available authentication providers.
| ||||||
auth services | Displays details of all configured authentication services. | ||||||
auth <service_name> | Displays the current configuration settings for the specified authentication service. | ||||||
auth <service_name> active {true|false} | Activates (true ) or deactivates (false ) the specified authentication service. Use this command to activate your authentication service when you have finished configuring it. | ||||||
auth <service_name> priority <priority> | Sets the priority for this authentication service. Each configured service has a priority: the service with the highest priority is tried first. If the login to the service fails, the next service is tried, and so on. The built-in STRLocal service has a priority of 100, so you should set your external service to have a priority greater than 100. If you are adding multiple authentication services you can use the priority of each one to control the order in which they will be tried. | ||||||
auth <service_name> id <new_service_name> | Changes the name of the specified service to the new specified name. | ||||||
auth <service_name> remove | Removes the specified authentication service. | ||||||
auth <service_name> adminGroup <group> | Sets the name of the group of users who should have administrator rights in SuperADMIN. If you are using an external authantication provider this will be a group from the external server (only the group name is required; you do not need a full Distinguished Name/DN). |
Configuring LDAP, Active Directory and eDirectory
The following commands apply to LDAP, Active Directory, and eDirectory services only.
Usage | Description |
---|---|
auth <service_name> url <url> | Sets the fully qualified domain name of the LDAP, Active Directory or eDirectory server. |
auth <service_name> port <port> | Sets the port to use to connect to the LDAP, Active Directory or eDirectory server. This is only required if the server is using a non-standard port. |
auth <service_name> basedn <base> | Sets the default base location for LDAP searches. This will be used to search for users or groups if they do not have an explicit basedn assigned. |
auth <service_name> group nameattr <attribute> | Sets the name of the attribute in the external authentication service that holds the descriptive name of the group. |
auth <service_name> group idattr <attribute> | Sets the name of the attribute in the external authentication service that holds the unique ID of the group (the standard Active Directory value is cn ). |
auth <service_name> group basedn <base> | Sets the default search location when searching for groups. This is optional. If it is not set then it will use the basedn configured for the service. |
auth <service_name> group addbasedn <base> | Adds the specified basedn to the list stored in the group basedn parameter. |
auth <service_name> group removebasedn <base> | Removes the specified basedn from the list stored in the group basedn parameter. |
auth <service_name> group memberAttr <attribute> | Sets the name of the attribute in the external authentication service that indicates which users are members of the group (the standard Active Directory value is |
auth <service_name> group groupClass <class> | Sets the class type that will be used to identify groups within the LDAP repository. |
auth <service_name> group addfilter <group> | Adds the specified group to the group filter. |
auth <service_name> group removefilter <group> | Removes the specified group from the group filter. |
auth <service_name> user nameattr <attribute> | Sets the name of the attribute in the external authentication service that holds the descriptive name of the user. |
auth <service_name> user idattr <attribute> | Sets the name of the attribute in the external authentication service that holds the unique ID of the user (the standard Active Directory value is sAMAccountName ). |
auth <service_name> user basedn <base> | Sets the default search location when searching for users. This is optional. If it is not set then it will use the basedn configured for the service. |
auth <service_name> user addbasedn <base> | Adds the specified basedn to the list stored in the user basedn parameter. |
auth <service_name> user removebasedn <base> | Removes the specified basedn from the list stored in the user basedn parameter. |
auth <service_name> user groupAttr <attribute> | Sets the name of the attribute in the external authentication service that indicates which groups the user is a member of (the standard Active Directory value is memberOf ). |
auth <service_name> user userClass <class> | Sets the class type that will be used to identify groups within the external repository. |
auth <service_name> contextlogin {true|false} | Enables or disables the use of a search login user, to find an initial context for logins. |
auth <service_name> contextlogin password <password> | Sets the password to use for the context login. This setting only applies when |
auth <service_name> contextlogin userdn <dn> | Sets the DN for the context login. This setting only applies when |
auth <service_name> qualifieduser {true|false} | Specifies whether the name entered when a user is attempting to login is a fully qualified DN or a name that must be matched against the You are recommended to leave this set to |
Configuring ExternalJAASModule
The following commands apply to services using the ExternalJAASModule only.
Usage | Description |
---|---|
auth <service_name> groupprincipalclass <fully_qualified_classname> | Sets the custom JAAS principal that stores the group name. |
auth <service_name> userprincipalclass <fully_qualified_classname> | Sets the custom JAAS principal that stores the user name. |
auth <service_name> loginmoduleclass <fully_qualified_classname> | Sets the custom login class that implements JAAS Login module. |
auth <service_name> pluginImplementationClass <fully_qualified_classname> | Sets the implementation class for the AuthPlugin interface. |
auth <service_name> addparameter <param_name> <value> | Adds a custom parameter. |
auth <service_name> removeparameter <param_name> | Removes the specified custom parameter. |