Novell Home

Configuring iChain to use Separate Authentication and Authorization Trees

Novell Cool Solutions: Trench
By Jim Short

Digg This - Slashdot This

Posted: 23 Dec 2003
 

Fact: iChain 2.2

Goal: Can different LDAP trees be used for authentication and authorization?

Fix: Yes. But there are caveats. iChain uses the full DN of the authentication tree for ACLCHECK and OLAC.

What does this mean?

  1. If you are going to use SECURE access rules, the full DN of the user must be the same in both trees. You can, however, use RESTRICTED resources with no problem as RESTRICTED resources only validate that the user is authenticated.


  2. If you plan to use OLAC for single sign on then you must modify the sys:\iChain\oac.properties file to point to the authentication tree in the [LDAP Processor] section, and point to the authorization tree in the [OAC] section. The authorization tree referenced in this section MUST be Novell eDirectory and MUST contain an ISO Object.

Example of default oac.properties file:

[OAC]
Worker Count = 32
Refresh Time = 180

[LDAP Processor]
Class Name = com.novell.ichain.oac.ldap.ParamListBuilder

[CONSTANT Processor]
Class Name = com.novell.ichain.oac.constant.ParamListBuilder

Modified file to use IP address x.x.x.x for authorization/OLAC and IP address y.y.y.y for authentication:

[OAC]
Provider URL =x.x.x.x       (IP address of the authorization/OLAC server)
Security Principal = cn=admin,o=novell        (LDAP dn for BIND user)
Security Credentials = xxxxxx         (password for BIND user)
Ldap Referral = true
ISO Object Name = cn=iso,o=novell   (DN for ISO object)
Worker Count = 32
Refresh Time = 180

[LDAP Processor]
Provider URL =y.y.y.y        (IP address of the authentication  server)
Security Principal = cn=admin,o=novell       (LDAP dn for BIND user)
Security Credentials = xxxxxx         (password for BIND user)
Class Name = com.novell.ichain.oac.ldap.ParamListBuilder

[CONSTANT Processor]
Class Name = com.novell.ichain.oac.constant.ParamListBuilder

Screen shots of a configuration tested on iChain 2.2 SP2 ver 2.2.110:

Authentication Profile Configuration:


click to enlarge

Access Control Configuration:


click to enlarge

SYS:/iChain/OAC/OAC.PROPERTIES file:

[OAC]    (This section will point to the Authorization Tree)
Provider URL = 137.65.214.239
Security Principal = cn=admin,o=novell
Security Credentials = novell
ISO Object Name = cn=iso,o=novell
Worker Count = 32
Refresh Time = 180

[LDAP Processor]   (This section will point to the Authentication Tree)
Provider URL = 137.65.214.222:390
Security Principal = cn=admin,o=novell
Security Credentials = novell
Class Name = com.novell.ichain.oac.ldap.ParamListBuilder

[CONSTANT Processor]
Class Name = com.novell.ichain.oac.constant.ParamListBuilder


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell