Authenticating the user

About this task

Use the following properties to define how the user is authenticated when they attempt to log on to the IBM® BigFix® Remote Control server. To configure the following sections use the LDAP browser as described for each parameter, to derive the correct settings.

ldap.digest
Digest algorithm that is used by LDAP. Values are SHA, MD2, or MD5 only. The default is cleartext. If the LDAP servers returns a password, IBM BigFix Remote Control uses the Digest algorithm to encrypt the user input password and compare it with the password it receives from the LDAP server. If no password is returned from the LDAP server, IBM BigFix Remote Control uses the user name and password that is provided by the end user to authenticate with LDAP.
ldap.digest=SHA
ldap.userid
ldap.userid is the LDAP attribute that contains the user ID that is mapped to the userid field in the IBM BigFix Remote Control database. The userPrincipalPattern property then needs to know whether the @domainname, UPN suffix, is added for Active Directory authentication.
sAMAccountName
sAMAaccount must be used so that the user ID only portion of the logon, without the UPN Suffix, is used.
userPrincipalName
userPrincipalName must be used to force all logons to use the full User Principal Name.
Note: It is recommended to set ldap.userid to this value to ensures that it does not contain any invalid characters. For example, an apostrophe.

The ldap.userid relates to other configuration values in the ldap.properties file.

For example, if the ldap.userid is set to userPrincipalName, the user must log on to IBM BigFix Remote Control with their full ID. For example, awilson@example.com.

  • The ldap.userSearch variable would be (userPrincipalName={0}).
  • The ldap.principalPattern would be {0}.

If the ldap.userid is set to use sAMAccountName, the user must log on to IBM BigFix Remote Control with just the user ID part of their ID. For example, awilson. The following parameters must be set so that the fully qualified name is appended.

For example

  • The ldap.userSearch variable would be (userPrincipalName={0}@mydomain.mycompany.com)

    For a user awilson@example.com, the ldap.userSearch variable would be (userPrincipalName={0})

  • The ldap.principalPattern would be {0}@mydomain.mycompany.com.

    For a user awilson@example.com, the ldap.principalPattern would be {0}@example.com.

ldap.userPassword
The name of the LDAP attribute in the user's directory entry that contains the user's password. In Active Directory, password is the default name of the attribute.
ldap.userPassword=password 
ldap.userEmail
The name of the LDAP attribute in the user's directory entry that contains the user's email address.
Note: The ldap.userEmail property cannot have a null value. If your Active Directory Tree does not contain email information, a different attribute must be used. For example, ldap.userEmail might be set to userPrincipalName.
ldap.userRealm
Realm name that is used for user authentication. This setting is optional and can be commented out, in the ldap.properties file, for most configurations.
ldap.userRealm=users.company.domain.com
ldap.principalPattern
Pattern for construction of user principal for using LDAP authentication. Some LDAP servers require email address, for example, userid@domain.com and others require the user ID only. The string “{0}" is substituted by the users user ID entered at the login screen.