User authentication and authorization with Device Manager - Storage Navigator
An authentication server enables users to log in to Device Manager - Storage Navigator with the same password as the password they use for other applications. In addition, an authentication server can be configured to work with an authorization server so that user groups registered in the authorization server can be assigned to Device Manager - Storage Navigator users.
Setting up authentication and authorization with HDvM - SN or maintenance utility
The following figures show the Device Manager - Storage Navigator login workflow without and with an authentication server. The authentication server must be configured for each user.
The following figure shows the login workflow when an authentication server and an authorization server are used in combination. In this case, the user groups that are registered in the authorization server can be assigned to Device Manager - Storage Navigator users.
If you register the information of the authentication server as an SRV record in the DNS server, you can use the authentication server without knowing the host names and port numbers. If you register multiple numbers of authentication servers to the SRV record, you can determine the authentication server to be used based on the priority that has been set in advance.
External authentication by the SVP functions for all storage systems registered in the Storage Device List. You cannot switch between use of external authentication by the SVP and use of external authentication by the maintenance utility for each storage system registered in the Storage Device List. As shown in the following table, how to set external authentication differs depending on the configuration and the type of the authentication server.
| Condition | Authentication server | Setting of external authentication by the maintenance utility | Setting of external authentication by the SVP |
| Management model in which the SVP is used | LDAP | Not available* | Available |
| Kerberos | Not available | Available | |
| RADIUS | Not available | Available | |
| Management model in which the SVP is not used | LDAP | Available | Not available |
| Kerberos | Not available | Not available | |
| RADIUS | Not available | Not available | |
| * When you use the management model in which the SVP is used, do not use the maintenance utility for external authentication settings. | |||
- To use an authentication server and authorization server, you need to configure network settings and connection settings to the authentication server and authorization server. For details about network settings, contact the network administrator. For details about the setting values for the connection, contact the administrator of the authentication server and authorization server.
- If you change your storage system management from the management model in which the SVP is not used to the management model in which SVP is used, disable external authentication by the maintenance utility, and then register the storage system in the Storage Device List of the SVP. For details, see Disabling external authentication by the maintenance utility.
- If you change your storage system management from the management model in which the SVP is used to the management model in which the SVP is not used, delete the storage system from the Storage Device List of the SVP, and then set external authentication by the maintenance utility. For details about how to set external authentication by using the maintenance utility, see Setting up LDAP.
- If the affiliated user group registered in the authorization server and the user group registered locally in the storage system are different, the user group in the storage system has higher priority.
- You cannot create a load balancer between the SVP and the authentication server and between the SVP and the authorization server.
- If you use Device Manager - Storage Navigator or the maintenance utility to create user accounts, you can choose external authentication as the authentication method, but the assignment (authorization) settings of user groups in HDvM – SN (or the maintenance utility) are applied. The assignment (authorization) settings of user groups on the authorization server are not applied.
If you do not use Device Manager - Storage Navigator or the maintenance utility to create user accounts, assign (authorize) user groups on the authorization server. In this case, the user group names defined on the authorization server must be the same as the user group names defined on the storage system. For details about the built-in group names, see Built-in user groups.
External authentication requirements using authentication server
Authentication servers support the following protocols:
- LDAPv3 simple bind authentication (Note that Bind DN is used for authentication.)
- RFC 2865-compliant RADIUS with PAP and CHAP authentication
- Kerberos v5
The following root certificate file formats to be set on Device Manager - Storage Navigator are available for LDAP server settings:
- X509 DER format
- X509 PEM format Note
The root certificate to be set on Device Manager - Storage Navigator must satisfy the following requirements:
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
- Authority Key Identifier
- Certificate Policies
- Subject Alternative Name
- Name Constraints
- Policy Constraints
- Extended Key Usage
- Inhibit anyPolicy
The certificate to be set on the connected server must satisfy the following requirements:
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
- Authority Key Identifier
- Certificate Policies
- Subject Alternative Name
- Name Constraints
- Policy Constraints
- Extended Key Usage
- Inhibit anyPolicy
- If you set an IP address as the host name of the server for a configuration file (created in Connecting authentication and authorization servers), make sure to also set the IP address for subjectAltName or Common Name of a certificate (for a secure communication) that is created along with the configuration file.
However, when using DNS Lookup, make sure to enter the host name of the server in subjectAltName or CommonName.
If the certificate contains both subjectAltName and CommonName, the IP address or the host name that you set for subjectAltName applies.
- If no DNS server is used, the IP address of the authentication server must be specified for the common name of the certificate.
- Check the number of tiers of the certificate chain to be used. The maximum number supported is 5 tiers. Make sure to use a certificate in the certificate chain with no more than 5 tiers.
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
One of the following encryption types must be used for the Kerberos server:
Windows
- AES128-CTS-HMAC-SHA1-96
- RC4-HMAC
- DES3-CBC-SHA1
- DES-CBC-CRC
- DES-CBC-MD5
Solaris or Linux
- DES-CBC-MD5
- Two authentication servers (one primary and one secondary) can be connected to a storage system. When using the secondary server, configure the settings considering the following:
- For the secondary server, use the same configuration settings as the primary server, except for the IP address, host name, and port number.
- The same certificate must be used for the primary server and the secondary server.
- If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied. For RADIUS servers, you cannot use the SRV records.
LDAP server conditions:
- The environmental setting for the DNS server is completed at the LDAP server.
- The host name, the port number, and the domain name of the LDAP server are registered in the DNS server.
Kerberos server conditions:
- The host name, the port number, and the domain name of the Kerberos server are registered in the DNS server.
- Because UDP/IP is used to access the RADIUS server, encrypted communications, including negotiation between processes, are not used. To access the RADIUS server in a secure environment, encryption in the packet level, such as IPsec, is required.
External authorization requirements using authorization server
The authorization server must satisfy the following requirements to work together with the authentication server:
Prerequisite OS
- Windows Server 2008*
- Windows Server 2008 R2*
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
* Microsoft support for this operating system has expired. Use an operating system for which Microsoft continues to provide support.
Prerequisite software
- Active Directory
Authentication protocol for user for searching
- LDAP v3 simple bind (Note that Bind DN is used for authentication.)
TLS security settings
- The TLS security settings made in Setting up SSL encryption using Device Manager - Storage Navigator must be supported.
Root certificate file format for Device Manager - Storage Navigator
- X509 DER format
- X509 PEM format
Requirements for root certificate format for Device Manager - Storage Navigator
- If the public key of the certificate to be uploaded is RSA, the key length must not be less than the key length that is set for Minimum Key Length (Key Exchange) in the TLS Security Settings dialog box.
- If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
- ECDSA_P256 (secp256r1)
- ECDSA_P384 (secp384r1)
- ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
- Authority Key Identifier
- Certificate Policies
- Subject Alternative Name
- Name Constraints
- Policy Constraints
- Extended Key Usage
- Inhibit anyPolicy
Requirements for certificate for the connected server
- If the public key of the certificate is RSA, the key length must be 2048 bits or more.
- If the public key of the certificate to be uploaded is ECDSA, the public key parameter must be any of the following:
- ECDSA_P256 (secp256r1)
- ECDSA_P384 (secp384r1)
- ECDSA_P521 (secp521r1)
- The signature hash algorithm of the certificate must be SHA-256, SHA-384, or SHA-512.
- The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
- Authority Key Identifier
- Certificate Policies
- Subject Alternative Name
- Name Constraints
- Policy Constraints
- Extended Key Usage
- Inhibit anyPolicy
When setting a host name for Primary Host Name or Secondary Host Name in the Setup Server window (), enter the host name of the server in subjectAltName or CommonName of the server certificate.
- When setting an IP address for Primary Host Name or Secondary Host Name in the Setup Server window (), enter the IP address of the server in subjectAltName or CommonName of the server certificate.
- If you set an IP address as the host name of the server for a configuration file (created in Connecting authentication and authorization servers), make sure to also set the IP address for subjectAltName or CommonName of a certificate (for a secure communication) that is created along with the configuration file.
When using DNS Lookup to connect to an external authentication server, enter the host name of the server in subjectAltName or CommonName of the server certificate. If the certificate contains both subjectAltName and CommonName, the IP address or the host name that you set for subjectAltName applies.
- When you perform a certificate revocation check by using CRL, set the URI of the CRL repository for cRLDistributionPoint (CRL distribution point) of the intermediate certificate and server certificate set on the connected server. The CRL repository must be on the network that can be accessed by the SVP so that the SVP can communicate with the CRL repository. If the SVP cannot communicate with the CRL repository, communication with the authorization server fails.
- When you perform a certificate revocation check by using OCSP, correctly set the URI of the OCSP responder for authorityInfoAccess (Authority Information Access) of the intermediate certificate and server certificate set on the connected server. The OCSP responder must be on the network that can be accessed by the SVP so that the SVP can communicate with the OCSP responder. If the SVP cannot communicate with the OCSP responder, communication with the authorization server fails.
- If no DNS server is used, the IP address of the authorization server must be specified for the common name of the certificate.
- Check the number of tiers of the certificate chain to be used. The maximum number supported is 5 tiers. Make sure to use a certificate in a certificate chain with no more than 5 tiers.
- Acquire the root certificate for the authentication server from the authentication server administrator.
- The certificates has an expiration date. If the certificate expires, you will not be able to connect to the authentication server. Make sure to set the expiration date carefully to prepare the certificate.
- For more information about the certificate management, consult with the authentication server administrator and manage it appropriately.
When a RADIUS server is used as an authentication server, two authentication servers (one primary and one secondary) can be specified, but only one authorization server can be specified.
If you use Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 as an authorization server, the SSL communications cannot be established by using DHE in the default settings. When you use any of these servers as the authorization server, configure the SSL communication settings by using Device Manager - Storage Navigator to disable the cipher suites that use DHE for key exchange.
Setting up LDAP
Use the following procedure to set up LDAP for external authentication by using the maintenance utility.
- Invalid value: [::]
- Loopback address: [::1]
- Multicast address: [FF00:: - FDFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF]
- IPv4-mapped IPv6 address: [::FFFF:(IPv4)]
- Link-local address: [FE80::]
- Global unicast address: [2001::]
- Global unicast address: [2002::]
Before you begin
- The LDAP directory server must be connected to the management LAN.
Procedure
Log in to the maintenance utility.
Select .
The Set Up Server (LDAP) window appears. Enter the value for each item.
For details about each item, see the Help of the maintenance utility.Confirm the settings, and then click Check for Server Configuration Test.
NoteWhen External User Group Mapping is disabled, even if the server configuration test is successful, user accounts cannot access the storage system unless they are registered in the storage system. To allow user accounts that are not registered in the storage system to access the storage system, enable External User Group Mapping. For details about how to set external user group mapping, see External User Group Mapping in the Help of the maintenance utility. For details about how to test server configuration, see Server Configuration Test in the Help of the maintenance utility.Confirm the test result, and then click Apply.
If the management port of controller 1 and the management port of controller 2 are connected to different network segments, you might not be able to reach the external authentication server or DNS server. If you are using this network configuration, log in to the maintenance utility from controller 2, and then perform step 2 and step 4.
Connecting two authentication servers
Two authentication servers can be connected to a storage system. When the servers are connected, the server configurations must be the same, except for the IP address and the port.
If you search for a server using information registered in the SRV records in the DNS server, confirm that the following conditions are satisfied:
LDAP server conditions:
- The environmental setting for the DNS server is completed at the LDAP server.
- The host name, the port number, and the domain name of the LDAP server are registered in the DNS server.
Kerberos server conditions:
- The host name, the port number, and the domain name of the Kerberos server are registered in the DNS server.
Because UDP/IP is used to access the RADIUS server, no encrypted communications are available, such as negotiations between processes. To access the RADIUS server in a secure environment, encryption in the packet level is required, such as IPsec.
Connecting authentication and authorization servers
Before you begin
- Contact your server administrator for information about the values to be written in the LDAP, RADIUS, or Kerberos configuration file. If you use LDAP servers, obtain certification for the LDAP server files.
- Contact your network administrator for information about the network settings.
Procedure
Create a configuration file. The items to specify depend on the protocol you use.
Log in to the SVP and store the following files in an easily accessible location.
- Certificate (for secure communication)
- Configuration file
Open the Windows command prompt on the SVP.
Move the current directory to the folder containing the SVP configuration tool (for example, C:\MAPP\wk\Supervisor\MappIniSet), and then execute the following command specifying the configuration file path and the certificate file path:
MappSetExAuthConf "C:\auth\auth.properties" "C:\auth\auth.cer"TipThe certificate file that you specify here is also used for the secondary server.When the confirmation message appears, press y to delete the files.
If you do not delete these files now when prompted, delete them manually.NoteIf the authentication server and the authorization server are unusable even after you make the settings, the network or the configuration file settings might have a problem. Contact the server administrator or the network administrator.
Next steps
Disabling external authentication by the maintenance utility
Use the following procedure to disable external authentication server by the maintenance utility.
Procedure
Log in to the maintenance utility.
Click Administration > External Authentication > Set Up Server > Disable.
When the confirmation window appears, click Apply.
When the completion message appears, click Close.
Naming a user group in Device Manager - Storage Navigator
When you create a user group in
Device Manager - Storage Navigator, you name the group with the user's
memberOf attribute value which is found in the Active Directory.
Device Manager - Storage Navigator supports Active Directory nested groups.
After entering the user group name, verify that the user group name that you entered is registered in the authorization server.
Creating configuration files
Authentication servers and authorization servers must be configured using configuration files.
Creating an LDAP configuration file
You can use an LDAP server for authentication on your storage system.
To use an LDAP server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed.
auth.server.type=ldap auth.server.name=<server_name> auth.group.mapping=<value> auth.ldap.<server_name>.<attribute>=<value>
A full example is shown here:
auth.server.type=ldap auth.server.name=PrimaryServer auth.group.mapping=true auth.ldap.PrimaryServer.protocol=ldaps auth.ldap.PrimaryServer.host=ldaphost.domain.local auth.ldap.PrimaryServer.port=636 auth.ldap.PrimaryServer.timeout=3 auth.ldap.PrimaryServer.attr=sAMAccountName auth.ldap.PrimaryServer.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.ldap.PrimaryServer.searchpw=password auth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local auth.ldap.PrimaryServer.retry.interval=1 auth.ldap.PrimaryServer.retry.times=3 auth.ldap.PrimaryServer.domain.name=EXAMPLE.COM
The LDAP attributes are defined in the following table.
| Attribute | Description | Required / Optional | Default value |
| auth.server.type | Type of authentication server. Specify ldap. | Required | None |
| auth.server.name |
Name of the authentication server (referred to as When registering a primary and a secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The name can use all ASCII code characters except for the following: \ / : , ; * ? " < > | $ % & ' ˜ | Required | None |
| auth.group.mapping | Information about whether to work together with an authorization server:
| Optional | False |
| auth.ldap.<server_name>.protocol | LDAP protocol to use. Specify Do not specify | Required | None |
| auth.ldap.<server_name>.host |
Host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets. You cannot specify the following IP addresses as an IPv6 address:
To use StartTLS as a protocol, specify a host name. If this value is specified, | Optional1 | None |
|
auth.ldap.<server_name>.port |
Port number of the LDAP server. Must be between 1 and 65,535.2 | Optional | 389 |
|
auth.ldap.<server_name>.timeout | Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30.2 | Required | 10 |
|
auth.ldap.<server_name>.attr |
Attribute name to identify a user (such as a user ID).
sAMAccountName is used for Active Directory. | Required | None |
|
auth.ldap.<server_name>.searchdn |
DN of the user for searching. If omitted, | Otional | None |
|
auth.ldap.<server_name>.searchpw |
User password that is used for searching. Specify the same password that is registered in the LDAP server. | Required | None |
|
auth.ldap.<server_name>.basedn |
BaseDN for searching for users to authenticate.3
| Required | None |
|
auth.ldap.<server_name>.retry.interval | Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.2 | Optional | 1 |
|
auth.ldap.<server_name>.retry.times |
Retry times when the connection to the LDAP server fails. Must be between 0 and 3. Zero means no retry.2 | Optional | 3 |
|
auth.ldap.<server_name>.domain.name |
Domain name that the LDAP server manages. | Required | None |
|
auth.ldap.<server_name>.dns_lookup |
Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server. Specify Do not specify | Optional | False |
|
Notes:
| |||
Creating a RADIUS configuration file
You can use a RADIUS server for authentication on your storage system.
To use a RADIUS server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed. If an authorization server is not used, you do not need to define the items for it.
auth.server.type=radius auth.server.name=server-name auth.group.mapping=value auth.radius.server-name.attribute=value auth.group.domain-name.attribute=value
A full example is shown below:
auth.server.type=radius auth.server.name=PrimaryServer auth.group.mapping=true auth.radius.PrimaryServer.protocol=PAP auth.radius.PrimaryServer.host=example.com auth.radius.PrimaryServer.port=1812 auth.radius.PrimaryServer.timeout=3 auth.radius.PrimaryServer.secret=secretword auth.radius.PrimaryServer.retry.times=3 auth.radius.PrimaryServer.domain.name=radius.example.com auth.group.radius.example.com.protocol=ldaps auth.group.radius.example.com.host=xxx.xxx.xxx.xxx auth.group.radius.example.com.port=636 auth.group.radius.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.group.radius.example.com.searchpw=password auth.group.radius.example.com.basedn=CN=Users,DC=domain,DC=local
The attributes are defined in the following tables.
| Attribute | Description | Required / Optional | Default value |
| auth.server.type | Type of authentication server Specify | Required | None |
| auth.server.name | Name of the server (referred to as <server_name>) When registering a primary and secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less. The names can use all ASCII code characters except for the following: \ / : , ; * ? " < > | $ % & ' ˜ | Required | None |
| auth.group.mapping | Information about whether to work together with an authorization server
| Optional | False |
| auth.radius.server-name.protocol | RADIUS protocol to use
| Required | None |
| auth.radius.server-name.host | Host name, IPv4 address, or IPv6 address of the RADIUS server An IPv6 address must be enclosed in square brackets. You cannot specify the following IP addresses as an IPv6 address:
| Required1 | None |
| auth.radius.server-name.port | Port number of the RADIUS server Must be between 1 and 65,535. | Optional2 | 1,812 |
| auth.radius.server-name.timeout |
Number of seconds before the connection to the RADIUS server times out Must be between 1 and 30. | Optional2 | 10 |
| auth.radius.server-name.secret | RADIUS secret key used for PAP or CHAP authentication | Required | None |
| auth.radius.server-name.retry.times |
Retry times when the connection to the RADIUS server fails Must be between 0 and 3. 0 means no retry. | Optional2 | 3 |
| auth.radius.server-name.attr.NASIdentifier | Identifier for the RADIUS server to find SVP Specify this value if the | Optional | None |
| auth.radius.server-name.attr.NAS-IPv4-Address | IPv4 address of the SVP Specify this value if the | Optional | None |
| auth.radius.server-name.attr.NAS-IPv6-Address | IPv6 address of the SVP Specify the value of the | Optional | None |
Notes:
| |||
| Attribute | Description | Required / Optional | Default value |
| auth.radius.server-name.domain.name | Domain name that the LDAP server manages (referred to as domain-name) | Required | None |
|
auth.radius.server-name.dns_lookup | Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server Specify Do not specify | Optional | false |
|
auth.group.domain-name.protocol | LDAP protocol to use Specify Do not specify | Required | None |
|
auth.group.domain-name.host | Host name, IPv4 address, or IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets ([ ]). You cannot specify the following IP addresses as an IPv6 address:
| Optional1 | None |
|
auth.group.domain-name.port |
Port number of the LDAP server Must be between 1 and 65535. | Optional2 | 389 |
|
auth.group.domain-name.searchdn | DN of the user for searching | Required3 | None |
| auth.group.domain-name.searchpw | User password for searching Specify the same password that is registered in the LDAP server. | Required | None |
| auth.group.domain-name.basedn | Base DN for searching for users to authenticate Specify DN of the hierarchy, including all the users for searching because the targeted users for searching are in lower hierarchy than the specified DN. | Optional3 | abbr |
| auth.group.domain-name.timeout | Number of seconds before the connection to the LDAP server times out Must be between 1 and 30. | Optional2 | 10 |
| auth.group.domain-name.retry.interval | Retry interval in seconds when the connection to the LDAP server fails Must be between 1 and 5. | Optional | 1 |
| auth.group.domain-name.retry.times | Retry times when the connection to the LDAP server fails Must be between 0 and 3. 0 means no retry. | Optional2 | 3 |
|
Notes:
| |||
Creating a Kerberos configuration file
You can use a Kerberos server for authentication on your storage system.
To use a Kerberos server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.
No BOM and then save. auth.server.type=kerberos auth.group.mapping=<value> auth.kerberos.<attribute>=<value> auth.group.<realm name>.<attribute>=<value>
A full example is shown below:
auth.server.type=kerberos auth.group.mapping=true auth.kerberos.default_realm=example.com auth.kerberos.dns_lookup_kdc=true auth.kerberos.clockskew=300 auth.kerberos.timeout=10 auth.group.example.com.protocol=ldaps auth.group.example.com.port=636 auth.group.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local auth.group.example.com.searchpw=password auth.group.example.com.basedn=CN=Users,DC=domain,DC=local
The Kerberos attributes are defined in the following table.
| Attribute | Description | Required / Optional | Default value |
| auth.server.type | Type of authentication server. Specify kerberos. | Required | None |
| auth.group.mapping | Information about whether to work together with an authorization server:
| Optional | false |
| auth.kerberos.default_realm | Default realm name | Required | None |
| auth.kerberos.dns_lookup.kdc |
Switch that determines which information registered in the SRV records in the DNS server to use when searching the Kerberos server. Specify Do not specify | Optional | false |
| auth.kerberos.clockskew | Acceptable range of the difference in time between the SVP and the Kerberos server where the SVP is operating. Must be between 0 and 300 seconds. | Optional1 | 300 |
| auth.kerberos.timeout | Number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30. When 0 is specified, the connection does not time out until a communication error occurs. | Optonal1 | 10 |
| auth.kerberos.realm_name | Realm identifier name (referred to as <realm_name>) Any name to distinguish the information of Kerberos server in each realm. Duplicate names cannot be used. If you register multiple names, use a comma to separate the names. | Optional2 | None |
| auth.kerberos.<realm _name>.realm | Realm name set to the Kerberos server. | Optional2 | None |
| auth.kerberos.<realm_name>.kdc | Host name, the IPv4 address, and port number of the Kerberos server. Specify these in the format of <Host name or IP address>[:Port number]. | Optional2 | None |
|
Notes:
| |||
| Attribute | Description | Required / Optional | Default value |
| auth.group.<realm_na me>.protocol |
LDAP protocol to use. Specify Do not specify | Required | None |
| auth.group.<realm_name>.port | Port number of the LDAP server. Must be between 1 and 65535. | Optional1 | 389 |
| auth.group.<realm_name>.searchdn | DN of the user for searching. | Required2 | None |
| auth.group.<realm_name>.searchpw | Password of the user for searching. Specify the same password that is registered in the LDAP server. | Required | None |
| auth.group.<realm_name>.basedn | BaseDN when the search for users begins. When searching, specify the hierarchy DN, including all the users, because the targeted user for the search is in a lower hierarchy than the specified DN. | Optional2 | abbr |
| auth.group.<realm_name>.timeout | Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30 seconds. When 0 is specified, the connection does not time out until a communication error occurs. | Optional1 | 10 |
| auth.group.<realm_name>.retry.interval | Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5. | Optional1 | 1 |
| auth.group.<realm_name>.retry.times | Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry. | Optional1 | 3 |
|
Notes:
| |||