2.4 Authenticating

Be aware of the following issues related to iManager authentication:

2.4.1 Tree Name Field

If eDirectory™ is installed and running on another port besides the default port 524, you can use the IP address or DNS name of the eDirectory server to log in if you also specify the port (for example, 127.0.0.1: 1080). If you use the tree name to log in, you do not have to specify a port.

Possible values for the Tree Name field are the tree name, the server IP address, and the server DNS name.

For best results, use the IP address.

2.4.2 Logging In to a Server without a Replica

You can log in to a server without a replica if you have previously logged in to the tree using the tree name, or if you have logged in to the tree using a server that contains a replica.

2.4.3 Unsuccessful Authentication

Login failures occur for a variety of reasons. For more information, see Authentication Issues.

NOTE:By default, iManager displays standard eDirectory error messages related to login problems. However, to increase login security, you can substitute a generic Login Failed message by adding the following setting to config.xml: 

<setting>
  <name><![CDATA[Authenticate.Form.HideLoginFailReason]]></name>
  <value><![CDATA[true]]></value>
</setting>

2.4.4 Expired Password Information

If a password expires, the user sees a message to this effect. However, users might not be aware that grace logins can be quickly consumed, depending on certain operations such as modifying a dynamic group, simple find, and setting a simple password.

These operations consume additional grace logins each time a user performs a task. We highly recommend that you encourage users to change their passwords the first time they are prompted.

2.4.5 Contextless Login Using Alternate Object Classes and/or Alternate Attributes

To enable contextless authentication using an alternate object type:

  1. Open iManager and browse to Configure > iManager Server > Configure iManager > Authentication.

    If you do not see this task, you are not an authorized user. See Authorized Users.

  2. Set Public Username and Password to a user that has rights to read the desired attributes.

  3. Modify TOMCAT_HOME\webapps\nps\WEB-INF\config.xml to include a <Setting> property that lists the attributes you want to add to the contextless search, and then restart Tomcat.

    For information about restarting Tomcat, see Starting and Stopping Tomcat and Apache.

For example, the following XML adds the Alias and User objects to the contextless search:

<setting>    <name><![CDATA[Authenticate.Form.ContextlessLoginClass.NDAP.treename]]></name>
  <value><![CDATA[User]]></value>
  <value><![CDATA[Alias]]></value>
</setting>

Similarly, the following XML allows users to log in with the CN or uniqueID attribute:

<setting>   <name><![CDATA[Authenticate.Form.ContextlessLoginSearchAttributes.NDAP.treename]]></name>
  <value><![CDATA[CN]]></value>
  <value><![CDATA[uniqueID]]></value>
</setting>

NOTE:In the sample code above, replace treename with the name of the appropriate directory tree.