Configuring the runtime to authenticate basic users
Basic users are users in the registry that are not imported in to Security Access Manager. Edit the ldap.conf file so that basic users can authenticate in Security Access Manager.
Before you begin
- Basic users work in minimal registry mode only.
- Basic users cannot use global sign-on.
- You cannot set access control lists for individual basic users. However, basic users can be members of a Security Access Manager group with access control lists.
- Registry direct Java API does not support basic users.
- Account and password valid settings are set to yes. You cannot modify them for basic users.
About this task
Configure the run time so that basic users can authenticate to Security Access Manager. Basic users have limitations.
When basic-user-support is enabled, basic and full users are located by using the basic-user-principal-attribute suffix in the LDAP native user entry. If the located native user entry has full Security Access Manager user metadata then it is treated as a full user. The value of the basic-user-principal-attribute is used for the user ID even if the Security Access Manager full user metadata has a different principalName.
Basic users are managed in the corporate user registry by using LDAP management tools. These users are not managed through Security Access Manager, except when you change and reset passwords for basic users.
- Uses the configured basic-user-principal-attribute and the user-search-filter values to locate users in the registry.
- Searches all suffixes that are defined by basic-user-search-suffix entries and in the order that they are defined, unless basic-user-suffix-optimizer is enabled. If no basic-user-search-suffix entries are specified, all suffixes are searched in an unspecified order.
- If basic-user-suffix-optimizer is enabled, a hit count is kept for each suffix that is used to search for users. The suffix search order is based on a dynamic most-used suffix order. This dynamic search order is not used if basic-user-no-duplicates is enabled since in that situation, all suffixes must be searched to ensure that there are no duplicates, thus the order is irrelevant.