HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide
121
Estimated Authorized Time Range—Set the estimated authorized time range for authorized
time range policies. TAM computes at every 00:00 the permitted access period in the
estimated time range for each authorized time range policy, and stores the result in a
temporary table. Then TAM checks the authorization policy used by each authenticating device
user for the authorized time range policy, and searches the table to determine whether or not
the user can log in to the device in the current period. A large value can affect system
performance. HP recommends that you use the default value of 3 days.
LDAP Synchronization Time—Set the time when TAM starts to synchronize the LDAP users every
day. Use 24-hour time, for example, 15 representing 3 p.m.
Log Lifetime—Specify how long TAM keeps the user authentication, authorization, and audit
logs in TAM. TAM automatically deletes the logs that exceed the log lifetime at 00:00 every
day.
LDAP User Move Between Servers—Select Enable from the list to allow the synchronized LDAP
users to move between different LDAP servers. Select Disable from the list to disable the
function. Enable the function if user data must be moved to a new LDAP server due to job
reallocation or similar reasons.
LDAP Pre-Synchronization Time (O'clock)—Select one or multiple time points to execute
pre-synchronization every day. Pre-synchronizing users from the LDAP server to IMC can
improve on-demand synchronization efficiency. HP recommends that you set the time to a time
when the system is relatively idle, for example, 06:00 to 08:00 every day.
Prompt for User Name—Set the message sent to users for entering the username when the
users log in to the device.
Prompt for Password—Set the message sent to users for entering the password when the users
log in to the device.
Account name excluded the last separator and the previous contents—In some cases, the
account name that a device user enters at login has a prefix (such as LDAP domain name). If
you select this option, TAM excludes the last separator and the previous contents and compares
it with the local account name when verifying the account name. For example, if a user enters
the account name hp\test\tom and separator \, TA M uses tom for account name verification.
Account name excluded the first separator and the subsequent contents—In some cases, the
account name that a device user enters at login has a suffix (such as TACACS domain name).
If you select this option, TAM excludes the first separator and the subsequent contents and
compares it with the local account name when verifying the account name. For example, if a
user enters the account name user@test@hp and separator @, TAM uses tom for account
name verification. If you enable both this option and the above option, the first option applies
first, and then this option applies.
5. Click OK.
Configuring system operation log parameters
TAM system operation log files are stored in the tam\log directory of the IMC installation path. TAM
generates one operation log file yyyymmdd.log every day. The yyyymmdd portion in the file names
represents the date when the log file is created. If an operation log file exceeds 2 GB, TAM creates
another operation log file with a sequence number appended to the name, for example,
yyyymmdd-1.log.
The file yyyymmdd.log records all logs generated during TAM operation.
You can adjust the log level and log lifetime in TAM system operation log parameters.