Authentication options

Built-in authentication

Using built-in authentication, you create users, set passwords, assign users to groups and manage groups using the CLC Server web administrative interface or a CLC Workbench. All the user information is stored on the CLC Server and is not accessible from other systems.

LDAP directory

Using the LDAP directory option, information needed during authentication and group memberships is retrieved from the specified LDAP directory (figure 4.3).

Image userauthentication-ldap
Figure 4.3: LDAP settings panel

Configuration option information

Encryption The default is Plain text, with options available for encryption using Start TLS ("Forced Start TLS") or LDAP over SSL ("ldaps://").

Admin group name Provide the name of the admin group. This setting is case sensitive.

Groups DN Provide the relative path for an OU in the domain to act as the root used by the CLC Server. The groups available for selection when setting permissions are limited to those in or below that OU.

Using OU=bioinformatics, OU=researchers as an example, the list of groups available when setting permissions would be limited to those contained in the OU bioinformatics, which is in the OU researchers, which is in the root of the domain. If the Groups DN field is left empty, all groups in the AD will be available for selection when setting group level permissions.

See Controlling group access to CLC Server data and Controlling access to the server, server tasks and external data for further information about restricting access based on group membership.

DN to use for lookups This allows you to choose which bind should be used for read and search operations. If no bind DN have been entered an unauthenticated bind will be used to do the initial lookup (lookup of users DN based on the username), and all other read and search operations will be performed with users binds. If the Bind DN and Bind password have been filled in, you have the choice between using the 'Bind DN' or the 'User DN' for read and search operations, the 'Bind DN' will in this case always be used for the initial lookup.

User object class and Group object class Intended for use where the standard posixAccount and posixGroup classes are not appropriate.

Kerberos/GSSAPI Authentication Enable the LDAP integration to use Kerberos/GSSAPI.

Certificates

If your LDAP server uses a certificate that is not generally trusted by the server system that the CLC Server software is running on, then it must be added to the truststore of the CLC Server installation (CLC_SERVER_BASE/jre/lib/security/cacerts, where CLC_SERVER_BASE is the server installations root location). This can be done with the keytool shipped with Java installations (also available in the CLC_SERVER_BASE/jre/bin/keytool), with a command like:
	CLC_SERVER_BASE/jre/bin/keytool -import -alias \
	ldap_certificate -file LDAP_CERTIFICATE.cer -keystore \
	CLC_SERVER_BASE/jre/lib/security/cacerts -storepass changeit
Replace LDAP_CERTIFICATE with the path to the certificate your LDAP server uses for Start TLS/LDAPS connections. Replace CLC_SERVER_BASE with the path to the servers installation location.

For setups with nodes, the following changes are also needed:

Caution: If you update the server installation or reinstall the server, all imported certificates will be removed, and have to be imported again. You should also be aware that certificates have an expiration date, and will not be trusted after this date. Make sure to add a new certificate in advance of the expiration date.

Active Directory

Using the Active Directory option, information needed during authentication and group memberships is retrieved from the specified Active Directory. Encryption options (Start TLS and LDAP over SSL) are available (figure 4.4).

Image userauthentication-ad
Figure 4.4: Active Directory settings panel

Hostname We recommend entering a Global Catalog in the hostname field. This avoids the CLC Server being redirected to several different Domain Controllers to obtain information about users and groups, and can thereby speed up the response time considerably in complex network environments. When a Global Catalog is specified, the port number must be configured to either

Please see the notes in the LDAP section for other recommendations and configuration details.