Secure Global Desktop Administration Guide > Users and authentication > The LDAP login authority

The LDAP login authority

Overview

The LDAP login authority allows users to log in to Secure Global Desktop if they have an entry in an LDAP directory.

This login authority is disabled by default.

Logging in

The user types either a common name (for example "Indigo Jones"), a username (for example "indigo") or an email address (for example "indigo@indigo-insurance.com").

Authentication

  1. This login authority searches the LDAP directory for a person object with a cn (common name) attribute that matches what the user typed. If there's no match, the search is repeated on the uid (username) attribute, and finally on the mail (email address) attribute.
  2. If a person object is not found, the next login authority is tried.
  3. If a person object is found, the password typed by the user is checked against the LDAP person object.
  4. If the authentication fails, the next login authority is tried.
  5. If the authentication succeeds, the login authority searches ENS for an object to use as the login profile (see below). If the May Log In To Secure Global Desktop attribute for the login profile is cleared, the user may not log in and no further login authorities are tried.

User identity

The identity is the LDAP person object and has the form .../_service/sco/tta/ldapcache/LDAP-person.

Login profile

The first match of the following is used:

  1. A person object in ENS with the same name as the LDAP person object, allowing for differences in the naming system. For example, if the LDAP object cn=Indigo Jones,ou=Administration,o=Indigo Insurance is found, this login authority would search ENS for o=Indigo Insurance/ou=Administration/cn=Indigo Jones.
  2. A person object in ENS, with the name cn=LDAP Profile, in the same OU as the LDAP person object. For example, o=Indigo Insurance/ou=Administration/cn=LDAP Profile.
  3. A person object in ENS, with the name cn=LDAP Profile, in any parent OU for the LDAP person object. For example, o=Indigo Insurance/cn=LDAP Profile.
  4. The default LDAP profile object o=Tarantella System Objects/cn=LDAP Profile.

Emulator sessions and password cache entries

Emulator sessions and password cache entries belong to the LDAP person object.

Related topics

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.