Content Platform Engine, Version 5.2.1

Configure multiple authenticating attributes

Use this procedure to configure your application server for more than one login attribute.

About this task

The following procedure provides a general list of steps to follow for configuring your application server so that users can log in using both shortname and distinguished name. You must first configure the Content Platform Engine application server's authentication parameters, and then configure the Content Platform Engine authorization parameters. Then, in some cases, you must also configure the client’s authentication parameters.

You can carry out this procedure before or after installing Content Platform Engine and your client. If you have already installed and configured Content Platform Engine, then Configuration Manager has already configured your application server's authentication parameters for one authenticating attribute, for example, using shortname (cn).

The following procedures use the terms shortname and longname which typically map to the following specific LDAP attributes:

Table of authenticating attributes (shortname and longname) which map to an LDAP attribute.

Directory Server	Typical shortname equivalent	Typical longname equivalent
Active Directory	sAMAccountName	userPrincipalName or DN
Active Directory Lightweight Directory Server (AD LDS)	sAMAccountName	userPrincipalName or DN
Sun Java System Directory Server	uid	DN
Novell eDirectory	cn	DN
IBM Tivoli Directory Server	cn	DN
Oracle Internet Directory	cn	DN

Procedure

To configure for multiple authenticating attributes (for example, shortname and distinguished name):

Log in to the Content Platform Engine application server as an administrator.
If WebSphere is your application server, then in the profile containing Content Platform Engine, do the following:
1. Set the user filter to:
```
(&(|(shortname=%v)(longname=%v)) (objectcategory=user))
```
2. Set the User ID Map to:
```
user:shortname;user:longname
```
If WebLogic is your application server, then in profile containing Content Platform Engine, create two authentication providers, one using shortname and another using longname.

If JBoss is your application server, then in profile containing Content Platform Engine, do the following:

Edit login-config.xml to allow both types of login. The following example provides a general idea. Notice, in the two versions of the <authentication> section, the different entries for baseFilter and roleFilter:

- <application-policy name="ibm">
   - <authentication>
     - <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" 
           flag="sufficient">
     <module-option name="java.naming.provider.url">
           ldap://yourURL:389</module-option>
     <module-option name="java.naming.security.authentication">simple
           </module-option> 
     <module-option name="allowEmptyPasswords">false</module-option> 
     <module-option name="bindDN">cn=test1,CN=Users,
           DC=yourDC</module-option> 
     <module-option name="bindCredential">test1</module-option> 
     <module-option name="baseCtxDN">CN=Users,
           DC=yourDC</module-option> 
     <module-option name="baseFilter">(longname={0})</module-option> 
     <module-option name="rolesCtxDN">CN=Users,
           DC=yourDC</module-option> 
     <module-option name="roleFilter">(longname={0})</module-option> 
     <module-option name="roleAttributeID">memberOf</module-option> 
     <module-option name="roleAttributeIsDN">true</module-option> 
     <module-option name="roleRecursion">-1</module-option> 
   </login-module>
- <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" 
           flag="sufficient">
     <module-option name="java.naming.provider.url">
           ldap://yourURL:389</module-option> 
     <module-option name="java.naming.security.authentication">simple
           </module-option> 
     <module-option name="allowEmptyPasswords">false</module-option> 
     <module-option name="bindDN">cn=test1,CN=Users,
           DC=yourDC</module-option> 
     <module-option name="bindCredential">test1</module-option> 
     <module-option name="baseCtxDN">CN=Users,DC=yourDC</module-option> 
     <module-option name="baseFilter">(shortname={0})</module-option> 
     <module-option name="rolesCtxDN">CN=Users,DC=yourDC</module-option> 
     <module-option name="roleFilter">(shortname={0})</module-option> 
     <module-option name="roleAttributeID">memberOf</module-option> 
     <module-option name="roleAttributeIsDN">true</module-option> 
     <module-option name="roleRecursion">-1</module-option> 
   </login-module>
   </authentication>
 </application-policy>

When using JBoss 4.0.5, if CN=Users is missing from the rolesCtxDN tag, you will not be able to log on to Administration Console for Content Platform Engine, which will throw an incorrect user name/password exception.

Restart the application server.
Log in to Administration Console for Content Platform Engine as a GCD administrator (gcd_admin).
1. Click the domain folder, and then click the Directory Configuration tab.
2. Double click the directory configuration entry if you changed an existing authentication configuration. Or click New if you added a new authentication configuration and complete the New Directory Configuration Wizard using the same values you just entered into the application server's authentication configuration.
3. Make the same changes you made in your application server.
If your authentication design requires that your client application server's authentication parameters exactly match those of the Content Platform Engine application server, log in to the application server as an administrator.
1. Make the same authentication changes on the client application server that you made for the Content Platform Engine server. If your client software is installed on a different type of application server than the Content Platform Engine application server (only supported when using Web Services transport), achieving an exact match of multiple login configuration might require experimentation and careful testing.