An authentication source specifies where (and in some cases how) authentication information is stored. A particular sort of authentication source may support one or more sorts of authentication mechanisms, compatible with the underlying storage of the authentication information; that is, some authentication sources will support only one sort of authentication mechanism, whereas other sources may be able to support additional sorts of authentication mechanisms. For instance, a system password file can only support the PLAIN (plaintext) authentication mechanism. Authentication sources may also support custom configuration options.
Authentication sources are configured via a block of the form
[AUTH_SOURCE=auth-source-name] ...in the security configuration file. It is not necessary to include an AUTH_SOURCE block for predefined authentication sources, unless setting special options for that source or unless the source is one such as LDAP which has special required options. An AUTH_SOURCE block must, however, be used when defining a site specific authentication source, as discussed below in Section 14.2.3.2 .
14.2.3.1 Predefined authentication sources
The following authentication source names are reserved:
ANONYMOUS
This is used for anonymous access. If you want to specify a username for anonymous users, you may set the USER option to the desired user name in the [AUTH_SOURCE=ANONYMOUS] authentication source definition block; e.g.,[AUTH_SOURCE=ANONYMOUS] USER=usernameMSGSTORE
This is the set of user authentication profiles used by the PMDF MessageStore and PMDF popstore. This authentication source currently supports the CRAM-MD5, DIGEST-MD5, APOP and PLAIN mechanisms. (Note that it always stores the password in a format suitable for use by APOP.) Initial user entries in this authentication source must be generated using PMDF MessageStore or PMDF popstore management utilities; see the PMDF popstore & MessageStore Manager's Guide .LDAP
The LDAP source is used when authentication verifiers are stored in an LDAPv2 or LDAPv3 or X.500 directory accessed via an LDAPv2 or LDAPv3 server. Currently, the LDAP source only supports the PLAIN mechanism (plaintext passwords) and the CRAM-MD5 mechanism. Note that this authentication source requires setting two options to site-specific values, so in order to use it, you must define it in an [AUTH_SOURCE=LDAP] section as illustrated below.[AUTH_SOURCE=LDAP] SERVER=ldap-server-host-name:port BASEDN=distinguished-nameor[AUTH_SOURCE=LDAP] SERVER=ldap-server-host-name BASEDN=distinguished-nameIf theportis omitted from the SERVER option, then the standard LDAP port (port 389) is assumed. When looking for an authentication verifier in an LDAP directory, PMDF searches for auidattribute matching the user name which the user typed and does a bind against the LDAP server with the resulting DN and the user-supplied password. The option LDAP_VERSION controls whether an LDAPv2 or LDAPv3 query is made. The default, if this option is not specified, is LDAP_VERSION=3, causing PMDF to perform a v3 query, namely perform an anonymous search to translate the user name (uid) into a DN followed by a v3 simple bind. If querying an LDAPv2 directory, then LDAP_VERSION=2 must be set; this causes PMDF to perform a v2 query (which is less efficient than a v3 query), namely an anonymous bind at the beginning of the session, a search, then a disconnect and reconnect, and then a simple bind.Sites using this source should make sure for performance reasons that the
uidattribute is indexed on the LDAP server. Also note that this source is not currently suitable for high volume use, as in this implementation each authentication opens a separate connection to the LDAP server. High volume sites should instead use the MSGSTORE authentication source and arrange to keep it synchronized with their LDAP server.LOGIN
The LOGIN source is used to provide the non-standard LOGIN mechanism. (The LOGIN mechanism is similar to PLAIN and offers no additional functionality, but is nevertheless used by some popular clients.) As implemented in PMDF, the LOGIN authentication source provides the LOGIN mechanism as a shell on top of the PLAIN mechanism from other sources. You must have at least one PLAIN mechanism enabled in order to use the LOGIN authentication source. For instance:ENABLE=SYSTEM/*,LOGIN/*or equivalently:ENABLE=SYSTEM/PLAIN,LOGIN/LOGINPASSDB
Initial user entries in this authentication source must be generated using the PMDF PASSWORD (OpenVMS) orpmdf password(UNIX and NT) utility. It currently supports the CRAM-MD5, DIGEST-MD5, APOP and PLAIN mechanisms.POPPROXY
This source is used to authenticate against a POP server. When used with automatic transitioning options, this source may be used to migrate passwords from a POP server to a new source, even if the exact storage of the passwords on the POP server is unknown. Such password transitioning is generally done in conjunction with migration of messages from a POP server to a new message store, such as the PMDF MessageStore, though note that such message migration is an entirely separate process from the password migration. See the discussion of the PMDF MOVEIN (OpenVMS) orpmdf movein(UNIX or NT) utility in the PMDF popstore & MessageStore Manager's Guide for a discussion of message migration. This source only supports the PLAIN mechanism. In order to use the POPPROXY source, you must set the SERVER option to tell PMDF the host name of the POP server against which to authenticate, and optionally the port number; if the port number is omitted, then the standard POP port of 110 is assumed. For instance:[AUTH_SOURCE=POPPROXY] SERVER=pop.acme.com:110or[AUTH_SOURCE=POPPROXY] SERVER=pop.acme.comSYSTEM
This is the system password file, that is, the SYSUAF file on OpenVMS, or usually/etc/passwdor/etc/shadowon UNIX. This authentication source only supports the PLAIN mechanism. Initial user entries in this authentication source must be generated using system utilities. On Digital UNIX with C2 security, resetting of login failure counts for system accounts may be enabled by setting[AUTH_SOURCE=SYSTEM] SIA_SES_LAUNCH=1Note that setting the SIA_SES_LAUNCH option incurs a performance penalty.
14.2.3.2 Site specific authentication sources
You may define your own password/authentication source by specifying a
shared image to call. To add an authentication source called
auth-source-name where
auth-source-name may be an arbitrary alphanumeric
string other than those reserved above, include a block
defining the new authentication source (after all global options) of
the following form. On OpenVMS:
[AUTH_SOURCE=auth-source-name] IMAGE=logical-pointing-to-shared-image FUNCTION=function-entry-point ...On UNIX:
[AUTH_SOURCE=auth-source-name] IMAGE=shared-image-name FUNCTION=function-entry-point ...On NT:
[AUTH_SOURCE=auth-source-name] IMAGE=dll-name FUNCTION=function-entry-point ...The IMAGE option specifies the shared image to use and the FUNCTION option specifies the entry point. Note that on OpenVMS, the IMAGE value must be a system, executive mode logical name translating to the actual shared image; on UNIX, the IMAGE value must be the actual shared image file name; on NT, the IMAGE value must be the name of a dynamic link library (DLL). These options are mandatory for site defined authentication sources. Additional configuration options specific to that authentication source may also be included.
The PMDF authentication services API may be used to add authentication sources; contact Innosoft for details.