XYGATE User Authentication Reference Manual

XYPRO Technology Corporation 53 Proprietary and Confidential

Chapter 10. Configuring Control Logons

via Alternative

Authentication Databases

XUA supports Windows or OpenLDAP, RSA SecurID

and RADIUS authentication.

XUA can be configured to divert user authentication on the NonStop server to an

LDAP database. This brings the NonStop server to the single sign-on schema. The

need to maintain passwords on the NonStop is eliminated by this feature.

XUA may be configured to require the RSA SecurID authentication with or without a

Guardian password.

10.1 Alternative Authentication Databases

The order in which userids are validated by Safeguard depends on whether or not your

system is using LDAP, RSA SecurID or RADIUS.

Configuring the LDAP Interface

The LDAP server only validates the user’s password. The user account status of the

subject NonStop userid is evaluated via Safeguard, then the mapped userid is sent to

the alternative authentication server along with the relevant authentication credentials

such as password or PASSCODE. The logon is allowed only if both are valid. For

example, the NonStop userid APPL.OPER1 has the network logon of

DAVID-SMITH@NETWORK.LOCAL and is being authenticated via Windows Active

Directory. The APPL.OPER1 userid must be un-expired and thawed and the

DAVID-SMITH’s password in the AD must be valid for the logon to happen.

Configuring the RSA SecurID Interface

The RSA server validates the user’s identity, then Safeguard evaluates the userid’s

status. So even though RSA server validates the user’s identity, the userid might be

FROZEN or EXPIRED.

Authentication

Stage

RSA SecurID LDAP

Stage 1 RSA Authentication Manager -

Authentication

Safeguard – user status

Stage 2 Safeguard – user status LDAP – password authentication