6.1 Changing the Authentication Configuration

When changing the Authentication configuration, there are several things that you can control:

See the following settings:

6.1.1 http_server.allow_local_authentication

Purpose

Directs the http_server to allow local authentication without supplying a password, relying on local system file permissions.

You can use this setting with the Basic or Digest settings.

Syntax

http_server.allow_local_authentication = option

Option

Use

false

Disable local authentication.

This is the default setting for NetWare.

true

Enables local authentication.

This is the default setting for Linux.

Example

http_server.allow_local_authentication = true

6.1.2 http_server.digest_password_file

Purpose

Specifies a location for the password file. This is required if the http_server.use_digest setting is enabled.

Syntax

http_server.digest_password_file = path_filename

The following are the default paths and filenames for the digest password files:

Platform

File Location

Linux

/etc/openwbem/digest_auth.passwd

NetWare

/system/cimom/etc/openwbem/digest_auth.passwd

Example

http_server.digest_password_file = /etc/openwbem/digest_auth.passwd

6.1.3 http_server.ssl_client_verification

Purpose

Determines whether the server should attempt to authenticate clients with SSL Client Certificate verification.

This setting is disabled by default.

Syntax

http_server.ssl_client_verification = option

Option

Use

autoupdate

Specifies the same functionality as the Optional option; however, previously unknown client certificates that pass HTTP authentication are added to a trust store so that subsequent client connections with the same certificate do not require HTTP authentication.

disabled

Disables client certificate checking.

This is the default setting.

optional

Allows a trusted certificate to be authenticated (no HTTP authentication is necessary).

Also allows an untrusted certificate to pass the SSL handshake if the client passes the HTTP authentication.

required

Requires a trusted certificate for the SSL handshake to succeed.

Example

http_server.ssl_client_verification = disabled

6.1.4 http_server.ssl_trust_store

Purpose

Specifies a directory containing the OpenSSL trust store.

Syntax

http_server.ssl_trust_store = path

The following are the default paths for the trust store files.

Platform

File Location

Linux

/etc/openwbem/truststore

NetWare

/system/cimom/etc/openwbem/truststore

Example

http_server.ssl_trust_store = /etc/openwbem/truststore

6.1.5 http_server.use_digest

Purpose

Directs the HTTP server to use Digest authentication, which bypasses the Basic authentication mechanism. To use Digest, you must set up the digest password file using owdigestgenpass.

Digest doesn’t use the authentication module specified by the OWCIMOMD.authentication_module configuration setting.

Syntax

http_server.use_digest = option

Option

Use

false

Enables the Basic authentication mechanism.

true

Disables the Basic authentication mechanism.

This is the default OpenWBEM setting. However, in OES 2 Linux and NetWare this is set to false.

Example

http_server.use_digest = false

6.1.6 owcimomd.ACL_superuser

Purpose

Specifies the username of the user that has access to all Common Information Model (CIM) data in all namespaces maintained by the OWCIMOMD. This user can be used to administer the /root/security name space, which is where all ACL user rights are stored.

ACL processing is not enabled until the OpenWBEM_Acl1.0.mof file has been imported.

Syntax

owcimomd.ACL_superuser = username

Example

owcimomd.ACL_superuser = root

6.1.7 owcimomd.allowed_anonymous

Purpose

Enables or disables anonymous logins to owmgmt_openwebem_lx_nwd.

Syntax

owcimomd.allowed_anonymous = option

Option

Use

false

Requires login with a username and password to access OWCIMOMD data.

This is the default and recommended setting.

true

Allows anonymous logins to OWCIMOMD.

This disables authentication. No username or password is required to access OWCIMOMD data.

Example

owcimomd.allowed_anonymous = false

6.1.8 owcimomd.allowed_users

Purpose

Specifies a list of users who are allowed to access OWCIMOMD data.

Syntax

owcimomd.allowed_users = option

Option

Use

username

Specifies one or more users who are allowed to access the OWCIMOMD data.

Separate each username with a space.

*

Allows all users to authenticate (for example, if you choose to control access with ACLs instead).

This option is enforced for all authentication methods unless owcimomd.allow_anonymous is set to true.

This is the default setting.

Example

owcimomd.allowed_users = bcwhitely jkcarey jlanderson

6.1.9 owcimomd.authentication_module

Purpose

Specifies the authentication module that is used by OWCIMOMD. This setting should be an absolute path to the shared library containing the authentication module.

Syntax

owcimomd.authentication_module = path_filename

The following are the default paths and filenames for the authentication modules:

Platform

File Location

Linux x86

/usr/lib/openwbem/authentication/libnovellauthentication.so

Linux 64

/usr/lib64/openwbem/authentication/libnovellauthentication.so

NetWare

/system/cimom/lib/openwbem/authentication/libnetwareauthentication.nlm

ldap_auth.ldap_host = 127.0.0.1

ldap_auth.cert_file = /public/RootCert.der

ldap_auth.searchbase = o=novell

Example on Linux

owcimomd.authentication_module = /usr/lib/openwbem/authentication/libnovellauthentication.so

Example on NetWare

owcimomd.authentication_module = /system/cimom/lib/openwbem/authentication/libnetwareauthentication.nlm ldap_auth.ldap_host = 192.155.27.1 ldap_auth.cert_file = /public/RootCert.der ldap_auth.searchbase = ou=users,ou=provo,o=example_company

Configuring Additional LDAP Settings for NetWare

The following table lists the additional LDAP settings that are recognized by owcimom.nlm and explains their configuration options:

Table 6-2 Configuration Options for Additional LDAP Settings Recognized by OWCIMOM.NLM

Setting with Default

Configuration Options

ldap_auth.bind_timelimit = 3

Specifies the time (in seconds) that OWCIMOMD spends binding to LDAP as a given user.

ldap_auth.binddn = anonymous ldap_auth.bindpw = N/A

If you want to change these from an anonymous bind, you must specify a fully distinguished name to bind to the server with and a password. For example:

ldap_auth.binddn cn=manager, dc=example, dc=com ldap_auth.bindpw=secret

ldap_auth.ldap_port = 636

If you change the secure port that LDAP is configured to, change this port number.

ldap_auth.searchscope = sub

Options: sub, one

sub: Sets the LDAP search to search the container specified in the ldap_auth.searchbase setting and all of its subcontainers.

Example context:

o=example_company ou=provo ou=provo,ou=users ou=provo,ou=sales ou=provo,ou=engineers

For example, if the searchbase context were set to ou=provo,o=example_company and the searchscope were set to sub, then the Provo container and all its subcontainers would be searched.

one: Sets the LDAP search to search only the container specified in the ldap_auth.searchbase setting.

For example, if the searchbase context were set to ou=users,ou=provo,o=example_company and the searchscope were set to one, then only the Users container would be searched.

ldap_auth.search_timelimit = 10

Specifies the amount of time (in seconds) that OWCIMOMD spends searching for a user in LDAP.

ldap_auth.user_cachesize = 10

Specifies the number of user authentication entries that are cached. Range: 0 to 1000 entries.

6.1.10 simple_auth.password_file

Purpose

Specifies the path to the password file when the simple authentication module is used.

This setting is disabled by default.

Syntax

simple_auth.password_file = path_filename

Linux Example

simple_auth.password_file = /etc/openwbem/simple_auth.passwd

NetWare Example

simple_auth.password_file = /system/cimom/etc/openwbem/simple_auth.passwd