PureMessage for UNIX: Configuring Multiple Authenticators

  • Article ID: 58217
  • Rating:
  • 1 customers rated this article 6.0 out of 6
  • Updated: 07 Jun 2012

The PureMessage multiple end user authentication packages allow you to configure the End User Web Interface (EUWI) to use more than one authentication handler. For example, multiple LDAP or Active Directory servers, or a mixture that involves some users authenticating via email session, others via flat file, etc.

Note: These instructions assume that you have already installed both the EUWI and the PureMessage Manager and that you are running the latest version of PureMessage.

1. Installing the Multi-Authentication Packages

To install the multi authenticator for the EUWI, along with a PureMessage Manager module that is used to configure the multi authenticator, run the following commands as the "pmx" user:

ppm install PureMessageX-Enduser-Auth-Multi
ppm install PureMessageX-Manager-Enduser-Multi

2. Configuring Authentication Methods

Although authentication for the EUWI is usually configured via the End User Authentication page of the Quarantine tab in the PureMessage Manager, you must configure multiple authentication methods at the command line.

The configuration files necessary to set up multiple authentication methods differ depending on which methods you plan to use. If your methods include a session ID that is emailed to the user, or a password stored in a plain text file, you must include a section for each method in /opt/pmx/etc/enduser/auth.conf. LDAP authentication is configured in a separate file, and is described in "LDAP" below.

The sections in auth.conf should look similar to the following:

Session ID is emailed to user

<Authenticator email_session>
    <config>
        # This is only required if there is no enduser_url defined
        in enduser.conf
        # destination=http://localhost:28080/eu/index.cgi
        session_expire = 1w
        template = enduser/email-session.tmpl
    </config>
    description = SessionID is emailed to user
    module = PureMessage::Enduser::Auth::Authenticator::Email
</Authenticator>

Password database is kept in plain text file

<Authenticator flat_file>
    <config>
        file = enduser/enduser_ui_user_passwords
        crypt = none
    </config>
    description = Password database is kept in a plain text file
    module = PureMessage::Enduser::Auth::Authenticator::FlatFile
</Authenticator>

LDAP

Any LDAP servers used for authentication are specified in a separate file (/opt/pmx/etc/enduser/auth.d/ldap.conf). You must configure a separate LDAP section for each LDAP server, and the sections must have unique names (ldap, ldap2, etc). Each section should look similar to the following:

<Authenticator ldap2>
    <config>
        dn_discovery = 1
        attribute_mail = mail
        debug = 0
        <ldap_server>
            ldap://localhost:389
        </ldap_server>
        base_dn = dc=example,dc=com
        attribute_mail_index = 0
        filter = (uid=%%username%%)
    </config>
    description = LDAP based authentication
    module = PureMessage::Enduser::Auth::Authenticator::LDAP
</Authenticator>

For more about configuring individual LDAP options, see the ldap.conf man page.

3. Defining Multiple Authenticators

Configure your multiple authentication sources by editing the /opt/etc/enduser/auth_multi.conf file and specifying your authentication handlers. Specify each authenticator on its own line as shown in the example below. The system will attempt to authenticate users against each handler in the order specified until it is successful, or until it runs out of handlers.

<authenticators>
    ldap
    flat_file
    ldap2
    email_session
</authenticators>

4. Configuring the End User Web Interface and PureMessage Manager

Once the multi authenticator is configured, you must also configure the EUWI to use multi authentication. To do this, edit the/opt/etc/enduser/enduser.conf, and locate the "auth=" option (which is likely near the end of the file). This line should be changed to"auth=multi".

Then run the following commands:

pmx-profile sync-to-db --resource=enduser_config --force
pmx-profile sync-to-db --resource=enduser_ui_config --force
pmx-manager restart
pmx-httpd restart

Now, if you view the End User Authentication tab of the PureMessage Manager, Multi-Authentication is managed by command line configuration is the option selected. On the sidebar, click Multi Authenticator to view authentication settings in their order of precedence.

Logging

All errors and warning messages are written to the /opt/var/log/manager/httpd_error.log file. All items related to the multi authenticator are prefixed with the phrase "EU-MULTI-AUTH".

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments