Prerequisites for Configuring LDAP Digest Authentication
In order to configure Digest authentication you must understand the basics of LDAP servers and LDAP administration. You must also understand the requirements and restrictions of your selected LDAP server implementation, and have privileges to modify the LDAP configuration as well as the Converged Application Server configuration.
Table 3-1 summarizes all of the information you will need in order to fully configure your LDAP server for Digest authentication with Converged Application Server.
Note that the LDAP authentication provider and the Digest Authentication Identity Asserter provider can be configured with multiple LDAP servers to provide failover capabilities. If you want to use more than one LDAP server for failover, you will need to have connection information for each server when you configure Digest Authentication. See "Steps for Configuring Digest Authentication".
Table 3-1 Digest Identity Asserter Checklist
| Item | Description | Sample Value |
|---|---|---|
|
Host |
The host name of the LDAP server. |
MyLDAPServer |
|
Port |
The port number of the LDAP server. Port 389 is used by default. |
389 |
|
Principal |
A Distinguished Name (DN) that Converged Application Server can use to connect to the LDAP Server. |
cn=ldapadminuser |
|
Credential |
A credential for the above principal name (generally a password). |
ldapadminuserpassword |
|
LDAP Connection Timeout |
The configured timeout value for connections to the LDAP server (in seconds). For best performance, there should be no timeout value configured for the LDAP server. If a timeout value is specified for the LDAP server, you should configure the Digest Identity Asserter provider timeout to a value equal to or less than the LDAP server's timeout. |
30 seconds |
|
User From Name Filter |
An LDAP search filter that Converged Application Server will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema. |
(&(cn=%u)(objectclass=person)) |
|
User Base DN |
The base Distinguished Name (DN) of the tree in the LDAP directory that contains users. |
cn=users,dc=mycompany,dc=com |
|
Credential Attribute Name |
The credential attribute name used for Digest calculation. This corresponds to the attribute name used to store unencrypted passwords or pre-calculated hash values. See "Configure the LDAP Server or RDBMS". |
hashvalue |
|
Digest Realm Name |
The realm name to use for Digest authentication. |
mycompany.com |
|
Digest Algorithm |
The algorithm that clients will use to create encrypted Digests. Converged Application Server supports both MD5 and MD5-sess algorithms. MD5 is used by default. |
MD5 |
|
Digest Timeout |
The Digest authentication timeout setting. By default this value is set to 2 minutes. |
2 |