The introduction of security policies requires careful planning to ensure that the measures adopted are appropriate to the systems being used. Such considerations are beyond the scope of this documentation. This topic gives a brief overview of the steps involved in using the Security Facility to control user authentication and authorization, and resource access control.
- Before you can use the Security Facility, you must decide which external security managers you are going to use and, if you plan to use multiple security managers, how you want to divide the responsibilities between them. Most installations use a single external security manager.
- Having done this you must define, within the repositories used by those managers, the users, resources and rules that you require. This may involve migration of user and resource details from legacy Directory Server and Enterprise Server security definitions, and in the case of LDAP repositories used with the MLDAP ESM Module, modifications to the schema to support the security information.
For instructions on extending LDAP repositories, click here.
- The next step is to specify within Directory Server the security managers, the ESM Modules that will be used to connect to them, and the associated configuration information. In doing this you create a pool of security manager definitions from which you can choose the ones that you require for particular enterprise servers.
- At this point, you can begin to define security configuration options. You can have different configuration options for individual enterprise servers, and for Directory Server. You can also have a default configuration that applies to any enterprise server that does not have its own configuration.
For more details about configuration options, see Understanding security configuration.
For instructions on setting configuration options, see Configuring Security Options.
- The configuration options include an ordered list of references to the security managers that you will use. Hence, as with the other options, you can use different lists for Directory Server and individual enterprise servers, and you can have a default list used by multiple servers.
The order of the managers on the list determines the order in which they are queried when handling a security request, and this may, depending on other configuration options, affect the result of a query.
You can now add the appropriate security managers from the security manager pool to the list that you are using.
Note:
Directory Server security involves two forms of access control:
- access to configuration information by applications (for example, an enterprise server reading the configuration details it requires when it starts up)
- access to administration screens via the the Directory Server web interface
Application access is always controlled by the security managers on the security manager list. Access to the administration screens is only controlled if you set the Restrict administration access security configuration option. See Restricting administration access.
Note:
For Enterprise Server, changes that you make to security configuration, including the addition, removal or re-sequencing of security managers will take effect when you restart the enterprise server.
For Directory Server, most changes take effect when you click OK or Apply. (Some changes may require restarting Directory Server. After applying a change, be sure to check the status line near the top of the Directory Server Administration screen to see if any errors were reported.) However, where Restrict administrative access is set, and the changes might change the credentials needed to access the administrative screens, you will be asked to confirm the changes by supplying:
- a set of user credentials with the appropriate authority that are valid under the settings prior to making your changes
- another set of user credentials with the appropriate authority that are valid under the new settings
This is to ensure that you do not inadvertently prevent yourself from administering the system.
