Before you begin
The following limitations apply to basic users:
- Basic users work in minimal registry mode only.
- Basic users cannot use global sign-on.
- You cannot set access control lists for individual basic users.
However, basic users can be members of a Security Access Manager group
with access control lists.
- Registry direct Java API does not support basic users.
- Account and password valid settings are set to yes.
You cannot modify them for basic users.
Warning: Basic users are not subject to any Security
Access Manager account and password policies. They always have their account-valid and password-valid values
set to yes. Basic users do not record the last login
or last password change even if [ldap] enable-last-login is
set. You must use the underlying registry equivalents for these capabilities.
About this task
Configure the run time so that basic users can authenticate
to Security Access Manager. Basic users have limitations.
When basic-user-support is enabled, basic
and full users are located by using the basic-user-principal-attribute suffix
in the LDAP native user entry. If the located native user entry has
full Security Access Manager user
metadata then it is treated as a full user. The value of the basic-user-principal-attribute is
used for the user ID even if the Security Access Manager full
user metadata has a different principalName.
Basic
users are managed in the corporate user registry by using LDAP management
tools. These users are not managed through Security Access Manager,
except when you change and reset passwords for basic users.
When searching for basic or full users,
Security Access Manager:
- Uses the configured basic-user-principal-attribute and
the user-search-filter values to locate users in
the registry.
- Searches all suffixes that are defined by basic-user-search-suffix entries
and in the order that they are defined, unless basic-user-suffix-optimizer is
enabled. If no basic-user-search-suffix entries are
specified, all suffixes are searched in an unspecified order.
- If basic-user-suffix-optimizer is enabled, a
hit count is kept for each suffix that is used to search for users.
The suffix search order is based on a dynamic most-used suffix order.
This dynamic search order is not used if basic-user-no-duplicates is
enabled since in that situation, all suffixes must be searched to
ensure that there are no duplicates, thus the order is irrelevant.