Prerequisites for Configuring LDAP Digest Authentication

In order to configure Digest authentication you must understand the basics of LDAP servers and LDAP administration. You must also understand the requirements and restrictions of your selected LDAP server implementation, and have privileges to modify the LDAP configuration as well as the Converged Application Server configuration.

Table 3-1 summarizes all of the information you will need in order to fully configure your LDAP server for Digest authentication with Converged Application Server.

Note that the LDAP authentication provider and the Digest Authentication Identity Asserter provider can be configured with multiple LDAP servers to provide failover capabilities. If you want to use more than one LDAP server for failover, you will need to have connection information for each server when you configure Digest Authentication. See "Steps for Configuring Digest Authentication".

Table 3-1 Digest Identity Asserter Checklist

Item Description Sample Value

Host

The host name of the LDAP server.

MyLDAPServer

Port

The port number of the LDAP server. Port 389 is used by default.

389

Principal

A Distinguished Name (DN) that Converged Application Server can use to connect to the LDAP Server.

cn=ldapadminuser

Credential

A credential for the above principal name (generally a password).

ldapadminuserpassword

LDAP Connection Timeout

The configured timeout value for connections to the LDAP server (in seconds). For best performance, there should be no timeout value configured for the LDAP server. If a timeout value is specified for the LDAP server, you should configure the Digest Identity Asserter provider timeout to a value equal to or less than the LDAP server's timeout.

30 seconds

User From Name Filter

An LDAP search filter that Converged Application Server will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema.

(&(cn=%u)(objectclass=person))

User Base DN

The base Distinguished Name (DN) of the tree in the LDAP directory that contains users.

cn=users,dc=mycompany,dc=com

Credential Attribute Name

The credential attribute name used for Digest calculation. This corresponds to the attribute name used to store unencrypted passwords or pre-calculated hash values. See "Configure the LDAP Server or RDBMS".

hashvalue

Digest Realm Name

The realm name to use for Digest authentication.

mycompany.com

Digest Algorithm

The algorithm that clients will use to create encrypted Digests. Converged Application Server supports both MD5 and MD5-sess algorithms. MD5 is used by default.

MD5

Digest Timeout

The Digest authentication timeout setting. By default this value is set to 2 minutes.

2