Accounts¶
All clients and servers are collectively known as application subjects. Users, user groups and application subjects are collectively known as security subjects, or just subjects.
Subjects have identification in form of accounts. For simplicity, all accounts are required to have unique names. Accounts associate subject names and other pieces of information like certificates and keys. All the accounts details are stored in the directory under the /security/accounts
path. The accounts
section has three subsections: users
, processes
and groups
.
This is an example of the structure of the /security/accounts
section of the directory:
<node class="container" name="accounts"> <node class="container" name="groups"> ... </node> <node class="container" name="users"> ... </node> <node class="container" name="processes"> ... </node> </node>
The child nodes of the groups
, users
and processes
container nodes have predefined types. The following table shows the predefined directory object classes related to accounts:
Category | Class name | Details |
---|---|---|
Security Accounts Classes | user | This class defines a user account. Object name is the user account name. |
process | This class defines a process account. Object name is the process account name. |
|
group | This class defines a group account. Object name is the group account name. |
All the node attributes of this classes are detailed in the following sections.
Search Algorithm¶
There is no search algorithm used for reading the accounts
directory section. All configurations are global for the directory and can be found under the /security/accounts/
absolute path.
Users¶
All the nodes from the users section must have the user
class. The user
class has the following class attributes:
Name | Type | Mandatory | Multiple |
---|---|---|---|
enabled | boolean | false | false |
person | string | false | false |
alias | string | false | false |
protected | boolean | false | false |
password | bytearray | false | false |
pwsetdate | date | false | false |
pwsettime | time | false | false |
groups | string | false | true |
mode | integer | false | false |
auth-plugin | string | false | false |
The purpose of each option of the users
section is detailed in the Reference section below.
This is an example of the /security/accounts/users
section:
<node class="container" name="accounts"> <node class="container" name="users"> <node class="user" name="admin"> <node-attribute name="person" value="FWD Admin"/> <node-attribute name="pwsetdate" value="2006-02-10"/> <node-attribute name="pwsettime" value="17:50:42"/> <node-attribute name="password" value="risuTew/3jHsdFSuGEj5K/IHu7w="/> <node-attribute name="groups" value="admins"/> <node-attribute name="mode" value="1"/> <node-attribute name="enabled" value="TRUE"/> <node-attribute name="protected" value="TRUE"/> </node> <node class="user" name="janedoe"> <node-attribute name="person" value="Jane Doe"/> <node-attribute name="pwsetdate" value="2007-11-10"/> <node-attribute name="pwsettime" value="09:23:04"/> <node-attribute name="password" value="45ddgGJgaknfwkhlazjluGJHGfE="/> <node-attribute name="groups" value="core_users"/> <node-attribute name="groups" value="accounting"/> <node-attribute name="enabled" value="TRUE"/> <node-attribute name="protected" value="TRUE"/> </node> </node> </node>
Processes¶
Any account included in this section represents an application or server process account. This is a non-interactive account, but it can login and it can be assigned specific rights as a valid entity in the system.
WARNING: at this time process accounts cannot be assigned to groups.
All the nodes from the processes
section must have the process
class. These are the class attributes for the process
class:
Name | Type | Mandatory | Multiple |
---|---|---|---|
appserver | string | false | false |
enabled | boolean | false | false |
description | string | false | false |
server | boolean | false | false |
master | boolean | false | false |
alias | string | false | false |
The purpose of each option of the processes
section is detailed in the Reference section below.
This is an example of the /security/accounts/processes
section:
<node class="container" name="security"> <node class="container" name="accounts"> <node class="container" name="processes"> <node class="process" name="my_process_acct_name"> <node-attribute name="enabled" value="TRUE"/> <node-attribute name="alias" value="my_process_acct_name"/> <node-attribute name="description" value="This is the MyProcess program"/> <node-attribute name="server" value="FALSE"/> <node-attribute name="master" value="FALSE"/> </node> <node class="process" name="my_server"> <node-attribute name="enabled" value="TRUE"/> <node-attribute name="alias" value="my_server"/> <node-attribute name="description" value="My FWD Server"/> <node-attribute name="server" value="TRUE"/> <node-attribute name="master" value="TRUE"/> </node> </node> </node> </node>
Groups¶
A group account represents a group which has specific rights and to which a list of other subjects belongs. A group is a subject in the security environment, but it is a subject through which many other subjects can have shared rights. In other words, all subjects that belong to a given group will have the same rights as are assigned to this group.
All the nodes from the groups
section must have the group
class. These are the class attributes for the group
class:
Name | Type | Mandatory | Multiple |
---|---|---|---|
description | string | false | false |
mode | integer | false | false |
auth-plugin | string | false | false |
The purpose of each option of the groups
section is detailed in the Reference section below.
This is an example of the /security/accounts/groups
section:
<node class="container" name="security"> <node class="container" name="accounts"> <node class="container" name="groups"> <node class="group" name="admins"> <node-attribute name="description" value="FWD Administrators"/> </node> <node class="group" name="accounting"> <node-attribute name="description" value="Accounting Department"/> </node> </node> </node> </node>
Reference¶
The following options may be specified for any node in the users
section, having the path /security/accounts/users/<user-name>
:
Option ID | Data Type | Default Value | Required | Details |
---|---|---|---|---|
enabled |
boolean | true | No | Use this parameter to enable or disable a user account. |
person |
string | n/a | No | This parameter holds the name of the account owner. |
alias |
string | n/a | No | This parameter specifies the truststore alias of the associated certificate entry. If the secure environment is enabled and there is no certificate with this alias then the account will be disabled. |
protected |
boolean | true | No | This parameter controls if the account is password protected. If set to true, password protection is in effect for this account. The password field is expected to be present. If no password is specified, this account will be disabled. If set to false, this account is not protected. The contents of the password hash field does not matter and no check will be done. |
password |
bytearray | n/a | No | This parameter contain the hashed password. If the account is not protected this parameter could be omitted. |
pwsetdate |
date | n/a | No | This is the date when the password was set. This value may be used for aging. |
pwsettime |
time | n/a | No | This is the time when the password was set. This value may be used for aging. |
groups |
string | n/a | No | This option specifies the groups this user is assigned to. This option could be used multiple times to define all groups the user belongs to. |
mode |
integer | 0 | No | This parameter specifies the authorization mode override for this user. The allowed authorization mode values are:0 : no override1 : user ID and password2 : X.509 certificate3 : X.509 certificate and userID and password4 : customIf other values are used for this parameter the “no override” will be considered and the authentication mode specified for the server will be used. |
auth-plugin |
string | n/a | No | This parameter specifies a custom authentication plugin class for the user. This value will be used only if the is a custom authentication mode set (the value of the mode option is 4 ).The available authentication plugins are listed under the /security/config/auth-plugins container node. |
The following options may be specified for any /security/accounts/processes/<process-name>
node in the processes
section:
Option ID | Data Type | Default Value | Required | Details |
---|---|---|---|---|
appserver |
string | n/a | no | Represents the name of an appserver exposed by this FWD server. This process account will be used to authenticate all the appserver Agents. |
enabled |
boolean | true | No | Use this parameter to enable or disable a process account. |
description |
string | n/a | No | This parameter contain a description of the process. |
server |
boolean | false | No | Use this parameter to define process role as server (true) or application (false or omitted) |
master |
boolean | false | No | If this parameter is set to set to true for a server, the server is a master server. |
alias |
string | n/a | No | This parameter associates this account with a X.509 certificate and, optionally, PKCS#8 private key. |
The following options may be specified for any /security/accounts/groups/<group-name>
node in the groups
section:
Option ID | Data Type | Default Value | Required | Details |
---|---|---|---|---|
description |
string | n/a | No | This parameter contain a description for this group. |
mode |
integer | 0 | No | This parameter specify the authorization mode override for this group. The allowed authorization mode values are:0 : no override1 : user ID and password2 : X.509 certificate3 : X.509 certificate and userID and password4 : customIf other values are used for this parameter the “no override” value will be considered. |
auth-plugin |
string | n/a | No | This parameter specify a custom authentication plugin class for the group. This value will be used only if the is a custom authentication mode set (the value of the mode option is 4 ).The available authentication plugins are listed under the /security/config/auth-plugins container node. |
Extensions¶
The subject account structure is predefined. However, there may be a need to associate some extra piece of information with the subject account, which is application-specific. An application may attach a named instance of a typed variable to an account. The supported types are:
- integer
- boolean
- string
- bytes
These types correspond to the standard directory object classes. Applications are allowed to set and get the extension data by its name and by subject ID, within the extent of rights granted by the directory resource ACLs.
The directory include this extended attributes as one or more user account extension objects or as one or more process account extension objects.
Example of a user node with extended attributes:
<node class="container" name="users"> <node class="user" name="janedoe"> <node-attribute name="person" value="Jane Doe"/> <node-attribute name="pwsetdate" value="2007-11-10"/> <node-attribute name="pwsettime" value="09:23:04"/> <node-attribute name="password" value="45ddgGJgaknfwkhlazjluGJHGfE="/> <node-attribute name="groups" value="core_users"/> <node-attribute name="groups" value="accounting"/> <node-attribute name="enabled" value="TRUE"/> <node-attribute name="protected" value="TRUE"/> <node class="string" name="top-dir"> <node-attribute name="value" value="/home/jane"/> <node class="string" name="user-code"> <node-attribute name="value" value="423j"/> </node> <node class="string" name="printer"> <node-attribute name="value" value="system"/> </node> <node class="string" name="file-viewer"> <node-attribute name="value" value="/usr/bin/view"/> </node> </node> </node>
Example of a process node with extended attributes:
<node class="container" name="processes"> <node class="process" name="my_server"> <node-attribute name="enabled" value="TRUE"/> <node-attribute name="alias" value="my_server"/> <node-attribute name="description" value="My FWD Server"/> <node-attribute name="server" value="TRUE"/> <node-attribute name="master" value="TRUE"/> <node class="string" name="printer"> <node-attribute name="value" value="system"/> </node> <node class="string" name="file-viewer"> <node-attribute name="value" value="/usr/bin/view"/> </node> <node class="string" name="userhelp"> <node-attribute name="value" value="tools/usrhelp.p"/> </node> </node> </node>
© 2004-2017 Golden Code Development Corporation. ALL RIGHTS RESERVED.