Project

General

Profile

Accounts

All clients and servers are collectively known as application subjects. Users, user groups and application subjects are collectively known as security subjects, or just subjects.

Subjects have identification in form of accounts. For simplicity, all accounts are required to have unique names. Accounts associate subject names and other pieces of information like certificates and keys. All the accounts details are stored in the directory under the /security/accounts path. The accounts section has three subsections: users, processes and groups.

This is an example of the structure of the /security/accounts section of the directory:

<node class="container" name="accounts">
   <node class="container" name="groups">
   ...
   </node>
   <node class="container" name="users">
   ...
   </node>
   <node class="container" name="processes">
   ...
   </node>
</node>

The child nodes of the groups, users and processes container nodes have predefined types. The following table shows the predefined directory object classes related to accounts:

Category Class name Details
Security Accounts Classes user This class defines a user account.
Object name is the user account name.
process This class defines a process account.
Object name is the process account name.
group This class defines a group account.
Object name is the group account name.

All the node attributes of this classes are detailed in the following sections.

Search Algorithm

There is no search algorithm used for reading the accounts directory section. All configurations are global for the directory and can be found under the /security/accounts/ absolute path.

Users

All the nodes from the users section must have the user class. The user class has the following class attributes:

Name Type Mandatory Multiple
enabled boolean false false
person string false false
alias string false false
protected boolean false false
password bytearray false false
pwsetdate date false false
pwsettime time false false
groups string false true
mode integer false false
auth-plugin string false false

The purpose of each option of the users section is detailed in the Reference section below.

This is an example of the /security/accounts/users section:

<node class="container" name="accounts">
   <node class="container" name="users">
      <node class="user" name="admin">
         <node-attribute name="person" value="FWD Admin"/>
         <node-attribute name="pwsetdate" value="2006-02-10"/>
         <node-attribute name="pwsettime" value="17:50:42"/>
         <node-attribute name="password" value="risuTew/3jHsdFSuGEj5K/IHu7w="/>
         <node-attribute name="groups" value="admins"/>
         <node-attribute name="mode" value="1"/>
         <node-attribute name="enabled" value="TRUE"/>
         <node-attribute name="protected" value="TRUE"/>
      </node>
      <node class="user" name="janedoe">
         <node-attribute name="person" value="Jane Doe"/>
         <node-attribute name="pwsetdate" value="2007-11-10"/>
         <node-attribute name="pwsettime" value="09:23:04"/>
         <node-attribute name="password" value="45ddgGJgaknfwkhlazjluGJHGfE="/>
         <node-attribute name="groups" value="core_users"/>
         <node-attribute name="groups" value="accounting"/>
         <node-attribute name="enabled" value="TRUE"/>
         <node-attribute name="protected" value="TRUE"/>
      </node>
   </node>
</node>

Processes

Any account included in this section represents an application or server process account. This is a non-interactive account, but it can login and it can be assigned specific rights as a valid entity in the system.

WARNING: at this time process accounts cannot be assigned to groups.

All the nodes from the processes section must have the process class. These are the class attributes for the process class:

Name Type Mandatory Multiple
appserver string false false
enabled boolean false false
description string false false
server boolean false false
master boolean false false
alias string false false

The purpose of each option of the processes section is detailed in the Reference section below.

This is an example of the /security/accounts/processes section:

<node class="container" name="security">
   <node class="container" name="accounts">
      <node class="container" name="processes">
         <node class="process" name="my_process_acct_name">
            <node-attribute name="enabled" value="TRUE"/>
            <node-attribute name="alias" value="my_process_acct_name"/>
            <node-attribute name="description" value="This is the MyProcess program"/>
            <node-attribute name="server" value="FALSE"/>
            <node-attribute name="master" value="FALSE"/>
         </node>
         <node class="process" name="my_server">
            <node-attribute name="enabled" value="TRUE"/>
            <node-attribute name="alias" value="my_server"/>
            <node-attribute name="description" value="My FWD Server"/>
            <node-attribute name="server" value="TRUE"/>
            <node-attribute name="master" value="TRUE"/>
         </node>
      </node>
   </node>
</node>

Groups

A group account represents a group which has specific rights and to which a list of other subjects belongs. A group is a subject in the security environment, but it is a subject through which many other subjects can have shared rights. In other words, all subjects that belong to a given group will have the same rights as are assigned to this group.

All the nodes from the groups section must have the group class. These are the class attributes for the group class:

Name Type Mandatory Multiple
description string false false
mode integer false false
auth-plugin string false false

The purpose of each option of the groups section is detailed in the Reference section below.

This is an example of the /security/accounts/groups section:

<node class="container" name="security">
   <node class="container" name="accounts">
      <node class="container" name="groups">
         <node class="group" name="admins">
            <node-attribute name="description" value="FWD Administrators"/>
         </node>
         <node class="group" name="accounting">
            <node-attribute name="description" value="Accounting Department"/>
         </node>
      </node>
   </node>
</node>

Reference

The following options may be specified for any node in the users section, having the path /security/accounts/users/<user-name>:

Option ID Data Type Default Value Required Details
enabled boolean true No Use this parameter to enable or disable a user account.
person string n/a No This parameter holds the name of the account owner.
alias string n/a No This parameter specifies the truststore alias of the associated certificate entry. If the secure environment is enabled and there is no certificate with this alias then the account will be disabled.
protected boolean true No This parameter controls if the account is password protected.
If set to true, password protection is in effect for this account. The password field is expected to be present. If no password is specified, this account will be disabled.
If set to false, this account is not protected. The contents of the password hash field does not matter and no check will be done.
password bytearray n/a No This parameter contain the hashed password. If the account is not protected this parameter could be omitted.
pwsetdate date n/a No This is the date when the password was set. This value may be used for aging.
pwsettime time n/a No This is the time when the password was set. This value may be used for aging.
groups string n/a No This option specifies the groups this user is assigned to. This option could be used multiple times to define all groups the user belongs to.
mode integer 0 No This parameter specifies the authorization mode override for this user. The allowed authorization mode values are:
0: no override
1: user ID and password
2: X.509 certificate
3: X.509 certificate and userID and password
4: custom
If other values are used for this parameter the “no override” will be considered and the authentication mode specified for the server will be used.
auth-plugin string n/a No This parameter specifies a custom authentication plugin class for the user. This value will be used only if the is a custom authentication mode set (the value of the mode option is 4).
The available authentication plugins are listed under the /security/config/auth-plugins container node.

The following options may be specified for any /security/accounts/processes/<process-name> node in the processes section:

Option ID Data Type Default Value Required Details
appserver string n/a no Represents the name of an appserver exposed by this FWD server. This process account will be used to authenticate all the appserver Agents.
enabled boolean true No Use this parameter to enable or disable a process account.
description string n/a No This parameter contain a description of the process.
server boolean false No Use this parameter to define process role as server (true) or application (false or omitted)
master boolean false No If this parameter is set to set to true for a server, the server is a master server.
alias string n/a No This parameter associates this account with a X.509 certificate and, optionally, PKCS#8 private key.

The following options may be specified for any /security/accounts/groups/<group-name> node in the groups section:

Option ID Data Type Default Value Required Details
description string n/a No This parameter contain a description for this group.
mode integer 0 No This parameter specify the authorization mode override for this group. The allowed authorization mode values are:
0: no override
1: user ID and password
2: X.509 certificate
3: X.509 certificate and userID and password
4: custom
If other values are used for this parameter the “no override” value will be considered.
auth-plugin string n/a No This parameter specify a custom authentication plugin class for the group. This value will be used only if the is a custom authentication mode set (the value of the mode option is 4).
The available authentication plugins are listed under the /security/config/auth-plugins container node.

Extensions

The subject account structure is predefined. However, there may be a need to associate some extra piece of information with the subject account, which is application-specific. An application may attach a named instance of a typed variable to an account. The supported types are:

  • integer
  • boolean
  • string
  • bytes

These types correspond to the standard directory object classes. Applications are allowed to set and get the extension data by its name and by subject ID, within the extent of rights granted by the directory resource ACLs.

The directory include this extended attributes as one or more user account extension objects or as one or more process account extension objects.

Example of a user node with extended attributes:

<node class="container" name="users">
   <node class="user" name="janedoe">
      <node-attribute name="person" value="Jane Doe"/>
      <node-attribute name="pwsetdate" value="2007-11-10"/>
      <node-attribute name="pwsettime" value="09:23:04"/>
      <node-attribute name="password" value="45ddgGJgaknfwkhlazjluGJHGfE="/>
      <node-attribute name="groups" value="core_users"/>
      <node-attribute name="groups" value="accounting"/>
      <node-attribute name="enabled" value="TRUE"/>
      <node-attribute name="protected" value="TRUE"/>
      <node class="string" name="top-dir">
         <node-attribute name="value" value="/home/jane"/>
      <node class="string" name="user-code">
         <node-attribute name="value" value="423j"/>
      </node>
      <node class="string" name="printer">
         <node-attribute name="value" value="system"/>
      </node>
      <node class="string" name="file-viewer">
         <node-attribute name="value" value="/usr/bin/view"/>
      </node>
   </node>
</node>

Example of a process node with extended attributes:

<node class="container" name="processes">
   <node class="process" name="my_server">
      <node-attribute name="enabled" value="TRUE"/>
      <node-attribute name="alias" value="my_server"/>
      <node-attribute name="description" value="My FWD Server"/>
      <node-attribute name="server" value="TRUE"/>
      <node-attribute name="master" value="TRUE"/>
      <node class="string" name="printer">
         <node-attribute name="value" value="system"/>
      </node>
      <node class="string" name="file-viewer">
         <node-attribute name="value" value="/usr/bin/view"/>
      </node>
      <node class="string" name="userhelp">
         <node-attribute name="value" value="tools/usrhelp.p"/>
      </node>
   </node>
</node>

© 2004-2017 Golden Code Development Corporation. ALL RIGHTS RESERVED.