Add

Allow unknown resources

Allow unknown users

Authenticated client sessions

Cache limit:

Cache TTL:

Change

Client program timeout

Configuration information

Create audit events

Description

Enabled

Module

Name

Priority

Remove

Restrict user access

Security Manager List

Select

Use all groups

Use default ES Security Manager List

Verify against all Security Managers

Web browser timeout

MF Directory Server Security

Use this page to define the security settings to be used with Directory Server.

Top

Restrict user access

Check this to cause all administrative access to the Directory Server to be authenticated and authorized by the entries on the Security Manager Priority List.

Top

Authenticated client sessions

There are two main methods that a remote user can use to connect to the Directory Server:

If Directory Server is running in Restricted mode, Web browser clients have to authenticate themselves to the Directory Server, carry out any operations, and then log off. (Program clients always run in Restricted mode.) During the time period between the authentication and removal the client is entered into the authenticated client list maintained internally by the Directory Server process. To stop the list from accidentally growing too large (not all users or applications log off correctly after they have been authenticated) and also to maintain security, the Directory Server removes both Web browser and program client sessions after a configurable timeout period.

Top

Web browser timeout

Specify the maximum interval in seconds since the last activity of a Web browser client, for example, a browser refresh, before it is automatically logged off.

The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period. We recommend you use this value sparingly and always reset to a finite period as soon as possible. This is because if the Directory Server is running with an infinite Web client timeout, there is more likelihood that an unauthorised user might gain access to the system using an unattended machine; also the Directory Server will tend to become overloaded with clients who have not logged off.

The default value is 300 seconds (5 minutes).

Top

Client program timeout

Specify the maximum interval in seconds since the last activity of a program client before it is automatically unbound.

The minimum value is 60 seconds (1 minute). A value of -1 indicates an infinite timeout period.

The default value is 6000 seconds (100 minutes).

Top

Verify against all Security Managers

Set this if you want each security query to be checked by all entries on the Security Manager Priority List.

If this is not set, the entries will be queried in the order that they appear on the Priority List until one gives a response of Allow, Deny, or Fail (equivalent to Deny). This response will then be used to decide what action should be taken.

If this field is set, all entries on the list will be queried, and if any returns a Deny or Fail, the access request will be denied. If there are no Deny or Fail responses and at least one of the entries on the list gives Allow as its response, the request will be allowed.

If a security manager does not have a rule for the resource or user specified in the request, it gives a response of Unknown. Whatever the setting of the Verify against all Security Managers field, if all of the entries on the priority list respond with Unknown, the request will be denied unless you have checked Allow unknown resources or Allow unknown users.

Top

Allow unknown resources

Check this if you want the security facility to permit access to any unknown resource; that is, any resource for which all entries on the priority list return Unknown.

You might use this in circumstances where you only want to restrict access to some resources.

Top

Allow unknown users

Check this if you want to allow unknown users to log in.

Top

Use all groups

Check this if a user requesting authorization is to have the permissions of every group to which he or she belongs.

Uncheck this if the user is to have only the permissions of the group specified in the initial security API call that requested verification (authentication) of the user's credentials. Where no group is specified in the verify call, a default group is used.

Top

Cache limit:

Enter the maximum size in kilobytes that enterprise server's security facility can use for caching the results of security queries.

Top

Cache TTL:

Enter the maximum time in seconds that an entry in the cache can be used to satisfy requests before the details must be requeried from the security manager.

Top

Create audit events

Check this to enable the enterprise server to generate security audit events. These events can be captured and logged by the Audit Facility.

Top

Configuration information

Specify any additional configuration settings that the enterprise server security facility requires.

Top

Use default ES Security Manager List

Check this if you want to use your default ES security manager list for Directory Server, rather than the Security Manager List below. To define the default ES Security settings, click Security on the menu on the left hand side, and then click Security > Default ES Security.

Top

Security Manager List

This is the list of security managers (taken from the available pool) that MF Directory Server can use to perform security queries.

Note: Security managers are queried in the order that they appear in the list. If the Verify against all Security Managers checkbox is not checked, the first manager in the list that responds with a definite answer will determine the result of a security query. See the text for Verify against all Security Managers for more details.

Use the up and down arrows to reposition the selected entry.

Top

Select

Use this to select a security manager for removal or for moving to a different position in the list.

Top

Name

This column indicates the name that used to identify a security manager.

Top

Priority

Indicates the position of the security manager in the sequence in which the security managers are queried.

Top

Module

This column indicates the module used by a security manager to access an external security manager or to implement the security rules.

Top

Description

The description column indicates the description for a security manager.

Top

Enabled

This column indicates whether or not the security manager is enabled. If it is not enabled, it will be ignored by Directory Server and those enterprise servers that reference it.

Top

Add

Click this to add a security manager from the pool of available definitions.

Top

Change

Click this to add a security manager from the pool of available definitions. This button is only present if you are using the MFDS Internal Security Manager. As MFDS Internal Security cannot be used alongside other security managers, when you add the new manager MFDS Internal Security will be removed.

Top

Remove

Click this to remove the currently selected definition from this list.

Note: The definition is only removed from this list, not from the available pool of definitions.

Top