Secure Global Desktop 4.40 Administration Guide > Users and Authentication > UNIX System Authentication

UNIX System Authentication

UNIX system authentication allows users to log in to SGD if they have UNIX or Linux system accounts on the SGD host.

UNIX system authentication is enabled by default.

This page includes the following topics:

How UNIX System Authentication Works
Enabling UNIX System Authentication
UNIX System Authentication and PAM

How UNIX System Authentication Works

UNIX system authentication supports the following methods for authenticating users against a UNIX or Linux system user database and determining the user profile:

Search Unix User ID in Local Repository
Search Unix Group ID in Local Repository
Use Default User Profile

The search methods are described in the following sections.

Search Unix User ID in Local Repository

At the SGD login screen, the user types either a common name (for example Indigo Jones), a user name (for example indigo), or an email address (for example indigo@indigo-insurance.com), and a password.

SGD searches the local repository for a user profile with a Name attribute that matches what the user typed. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute. If no user profile is found, the next authentication mechanism is tried.

If a user profile is found, the Login Name attribute of that object is treated as a UNIX or Linux system user name. This user name, and the password typed by the user, are checked against the UNIX or Linux system user database. If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in and no further authentication mechanisms are tried. If the authentication succeeds and the Login attribute for the user profile is enabled, the user is logged in.

This search method is enabled by default.

User Identity and User Profile

The matching user profile in the local repository is used for the user identity and user profile. In the SGD Administration Console, the user identity is displayed as user-profile (Local). On the command line, the user identity is displayed as .../_ens/user-profile.

Application Sessions and Password Cache Entries

Application sessions and password cache entries belong to the user profile.

Search Unix Group ID in Local Repository

SGD checks the user name and password typed by the user at the login screen against the UNIX or Linux system user database.

If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds, SGD searches for the user profile (see the following section). If the Login attribute of the user profile is not enabled, the user cannot log in and no further authentication mechanisms are tried. If the Login attribute of the user profile is enabled, the user is logged in.

This search method is enabled by default.

User Identity and User Profile

The user identity is the UNIX or Linux system user name. In the SGD Administration Console, the user identity is displayed as UNIX-username (UNIX). On the command line, the user identity is displayed as .../_user/UNIX-username.

SGD searches the local repository for a user profile cn=gid, where gid is the UNIX group ID of the authenticated user. If found, this is used as the user profile. If the user belongs to more than one group, the user's primary or effective group is used. If no user profile is found in the local repository, the profile object System Objects/UNIX User Profile is used for the user profile.

Application Sessions and Password Cache Entries

Application sessions and password cache entries belong to the UNIX user.

Use Default User Profile

SGD checks the user name and password typed by the user at the login screen against the UNIX or Linux system user database.

If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds, the user is logged in.

This search method is disabled by default.

User Identity and User Profile

The profile object System Objects/UNIX User Profile is used for the user profile. All UNIX users receive the same webtop content.

Application Sessions and Password Cache Entries

Application sessions and password cache entries belong to the UNIX user.

Enabling UNIX System Authentication

In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.
On the Global Settings » Secure Global Desktop Authentication tab, click the Change Secure Global Desktop Authentication button.
On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.
On the System Authentication - Repositories step, select the Unix check box.
On the Unix Authentication - User Profile step, select the check box for one or more search methods for finding the user profile.
On the Review Selections step, check the authentication configuration and click Finish.

UNIX System Authentication and PAM

SGD supports Pluggable Authentication Modules (PAM). UNIX system authentication uses PAM for user authentication, account operations, and password operations.

If you want SGD to prompt UNIX users for a new password when they log in with an expired password, the PAM interface must be installed on your SGD servers. If the PAM interface is not installed, SGD cannot support aged passwords. An error message is logged in /opt/tarantella/var/log/pemanagerpid_error.log on server startup if this is the case.

When you install SGD on Linux platforms, Secure Global Desktop Setup automatically creates PAM configuration entries for SGD by copying the current configuration for the passwd program and creating /etc/pam.d/tarantella file. On Solaris Operating System platforms, you must add a new entry for SGD (tarantella) in the /etc/pam.conf file.

Related Topics
Secure Global Desktop and User Authentication