Harvest

Tuesday Tip: Understanding Authentication Options on Unix and Linux

  • 1.  Tuesday Tip: Understanding Authentication Options on Unix and Linux

    Broadcom Employee
    Posted 07-30-2014 04:05 PM

    For the Harvest SCM Server this article discusses the method that the hserver process uses to authenticate the userids and passwords provided by users when logging into Harvest Workbench, Administrator Tool, Harweb or command line utilities.

     

    For the Harvest SCM Agent this article discusses the method that the agntd process uses to authenticate the userids and passwords used when connecting to the agent (-rusr and –rpw for command line utilities or the “Login Name” and “Password” fields on the Remote Agent Login window in Workbench)

     

    When configuring the Harvest SCM Server or Agent for authentication on a Unix or Linux platform you have 3 choices:

    • “-authmode=internal” – with this setting, the hserver process will search for and authenticate the user based on the information inside the Harvest database.  The agntd process will search for and authenticate the user based on the contents of the Unix/Linux machine’s /etc/passwd file. 

     

    • “-authmode=openldap” – with this setting, Harvest will authenticate userids and passwords directly from your network’s LDAP directory but additional configuration settings are required for this:

    -ldapserver=”hostname1[:port1] [hostname2[:port2] [hostname3[:port3]…]”
    Defines one or more host names of the LDAP server
    -ldapbinddn=distinguished-name
    Defines the LDAP initial bind distinguished name (DN) to the LDAP Server. For all authentication operations, only the initial DN is used to bind to the LDAP directory.
    -ldapbindpw=password (or -ldapbindpwfile=encryptedpasswordfile.dfo)
    Defines the password for the LDAP distinguished name used for the initial bind. Do not enter spaces.
    -ldapsearchtimeout=seconds
    (Optional) Defines the number of seconds to search for a user in the LDAP directory; for example, when a user attempts to log in to the product.
    -ldapbasedn=base-distinguished-name
    Defines the base distinguished name (DN) used when searching in the LDAP server.
    -ldapfilter=search-filter
    Defines an RFC-2254-compliant search filter for locating a user. For example, when a user attempts to log in to product, this filter is used to search for the user in the LDAP server.
    -ldapattrusrname=attribute-name
    (Optional) Defines your LDAP server's user attribute name for user name.
    -ldapmode={none|tls|ssl}
    --- other optional parameters might be needed as well.

     

    • "-authmode=pam” – with this setting, login credentials are passed to your Unix/Linux box’s “Pluggable Authentication Module” which *must* be configured by your Unix/Linux System Administrator to correctly complete the authentication for the “hserver” and/or “agntd” processes.  The beauty of the “Pluggable Authentication Module” is that you can create general authentication rules that all applications and services will use, or customize authentication options for specific applications and/or processes.  The details of how to configure the Pluggable Authentication Module vary for the different types of Unix and Linux operating systems, and your System Administrator *must* help to complete this configuration for you.

     

    These settings are found in the argument files for the specific components you want to configure:

     

    For the hserver component the file is named hserver.arg

    For the agntd component the file is named hagent.arg

     

    More details about authentication options can be found in the Harvest SCM Implementation Guide.