Define Authentication domain elements

If you use an external LDAP directory for user management, you must create an Authentication Domain.

After the Authentication Domain is associated with the external server, the Management Server contacts the LDAP directory server or Active Directory Server. You can then view users and user groups through the SMC Client if SMC is allowed to browse the directory.

Note: If you use the Management Server's internal user database, the users and user groups are always stored and managed in the default InternalDomain Authentication Domain.

You can select one Authentication Domain as the global Default Authentication Domain. You can also specify the default Authentication domain for each Security Engine in the Engine Editor. Selecting a default Authentication domain allows users belonging to that Authentication Domain to authenticate without specifying the Authentication Domain information. Users in other Authentication Domains must specify their Authentication Domain whenever they authenticate themselves.

If you use administrative Domains, create a separate Authentication Domain in each administrative Domain to create user accounts that are specific to each Domain. You can also use Authentication Domains in different administrative Domains to point to different parts of the directory hierarchy in the same LDAP directory. The internal LDAP directory is always in the Shared Domain, which makes its contents visible in all administrative Domains. You can select one Default Authentication Domain in each administrative Domain. You can also select an Authentication Domain in the Shared Domain as the Default Authentication Domain for all administrative Domains.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select User Authentication.
  2. Right-click Users and select New Authentication Domain.
  3. In the Name field, enter a name for the Authentication Domain.
  4. Click Select to define the default authentication method for all accounts in this Authentication Domain.
  5. Select the Set as Default for User Authentication on All Security Engines checkbox if this Authentication Domain is to be used as the default Authentication Domain to search for the user information.
    Note: If the Authentication Domain you are creating is not the default Authentication Domain, users must type in the domain name when they authenticate.
    Only one LDAP Domain can be the default LDAP Domain. The previous default LDAP Domain is automatically deselected.
  6. Specify additional name aliases for the authentication domain to allow users to login with alternate domain names.
  7. Configure the external directory server usage:
    Important: These checkboxes can only be edited during the creation of an Authentication domain. Once saved, you cannot modify these checkboxes.
    • Select both the SMC – Browse Users and Groups checkbox and the Engine – Resolve Users and Groups checkbox to allow both the SMC and Engine to query the selected external servers for browsing users and user groups.
    • Select only the SMC – Browse Users and Groups checkbox to only allow SMC to query the selected external servers for browsing users and user groups.
    • Select only the Engine – Resolve Users and Groups checkbox to only allow the engine to query the selected external servers for users and user groups.
  8. Select a server, then click Add to bind the external server to the Authentication Domain.
    Note: If both the SMC – Browse Users and Groups checkbox and the Engine – Resolve Users and Groups checkbox are unselected, the Select Servers section is disabled, and you cannot select an external directory server to bind to the Authentication domain.
  9. Click OK.

Authentication Domain Properties dialog box

Use this dialog box to configure Authentication Domain elements.

Option Definition
General tab
Name Specifies the name of the Authentication Domain.
Authentication Method Click Select to define the default authentication method for all accounts in this Authentication Domain.
Note: If you use the Integrated User ID Service for user identification, the supported authentication methods for the Authentication Domain are user password or LDAP authentication.
Set as Default for User Authentication on All Security Engines When selected, it specifies that the Authentication Domain is to be used as the default Domain to search for the user information.
Note: The Default Authentication Domain setting in the Advanced > Authentication settings can override this setting for individual Security Engines.
Additional Username Suffix
Specify additional name aliases for the domain to allow users to also login with alternative domain names without changing the actual account.
  • Click Add to add an additional name alias for the domain.
  • Click Remove to remove the selected additional name aliases.
Note: If the domain cannot be found from the domain part of the login name, the default domain is used.
External Directory Server Usage
You can select one or both from the following options:
  • SMC – Browse Users and Groups: When only this checkbox is selected, only SMC can query the selected external servers for browsing users and user groups.
    Note: If only the Long UserID is configured for the LDAP or AD server, SMC displays only the users that have the Long User ID attribute defined.
  • Engine – Resolve Users and Groups: When only this checkbox is selected, only Engine can query the selected external servers for users and user groups.
Important:
  • To allow both SMC and Engine to be able to query the selected external servers, select both the checkboxes.
  • If both these checkboxes are unselected, the Select Servers section is disabled.
  • These checkboxes can only be edited during the creation of an Authentication domain. Once saved, you cannot modify these checkboxes.
  • Uncheck the SMC – Browse Users and Groups checkbox and select the Engine – Resolve Users and Groups checkbox to create your own users or user groups and use them in access policy rules for authentication when SMC is not able to communicate with the external LDAP or AD server. For more details, refer to the Defining LDAP users and groups without browsing an LDAP Server topic.
   
Select Servers Shows the available servers that can be selected for this Authentication Domain.
Add Adds the selected servers to the Selected Servers list.
Remove Removes the selected servers from the Selected Servers list.
Selected Servers Shows the servers that are selected for this Authentication Domain.
Up Moves the server up the list.
Down Moves the server down the list.
Category Shows the assigned category.
Select Opens the Category Selection dialog box.
Comment An optional comment for your own reference.