XYGATE User Authentication Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

101

102

103

104

105

106

107

108

109

110

XYGATE

User Authentication

™

(XUA) 1.85 Reference Manual

Chapter 12. Configuring the LDAP Interface

XYPRO Technology Corporation 76 Proprietary and Confidential

For example, if the string is "++" and the desired LDAP group is LD1, then users

would enter ++LD1++ as a prefix to their password when authenticating.

The corresponding UACONF keyword is LDAP_GROUP_CHARACTERS.

(Item 14):

Indicate whether all users should be authenticated via LDAP.

Valid values are ON (all users), OFF (no users), or OPTIONAL

(all users except when the LDAP server cannot be reached).

Enter value <OFF>? 

Decide if all users who logon to the NonStop server will be authenticated using LDAP.

The answer to this prompt sets the value for the LDAP_AUTHENTICATE keyword in

the UACONF file and determines if the authentication request will be sent to LDAP.

The LDAP_AUTHENTICATE keyword can be present in the UACONF file, the UAACL

file or both. The UACONF value will be enforced globally unless overridden by values

set in individual UAGroups of the UAACL file.

Valid values are ON (all users), OFF (no users) or OPTIONAL (all users except when

the LDAP server cannot be reached).

ON – The users’ passwords and network IDs will be verified by LDAP.

Note: The userid’s status on the NonStop server will be evaluated by Safeguard in

addition to the LDAP’s password verification. If for example, the LDAP server

verifies the validity of the network userid and its password, but in Safeguard’s

record the userid is expired, the logon request will be denied in this case. The

frozen status of the NonStop userid may be circumvented by the FROZEN_OK

keyword in either the UACONF or UAACL files.

In case the network ID and password verification by the LDAP server is not

available either due to the LDAP server being non-responsive or the network

communication is down, the logon request will be denied.

OFF – If both the UACONF and UAACL files have this keyword set to OFF, users will

only be authenticated by Safeguard, and not LDAP. If the keyword is present in both

files and the values are different, the value in the UAACL takes precedence.

OPTIONAL – If communication with the LDAP server is successful, LDAP-controlled

password verification is invoked as if the value was ON. But if the LDAP server is

unavailable, the authentication (password verification) is diverted to Safeguard, instead

of denied, as it would be with the ON setting.

The setting of OPTIONAL may be beneficial if implemented in the UAACL for a

specific group of users who would require LDAP authentication, yet need access to the