About End User Authorization Methods
The authentication methods by which users access the End User Web Interface (EUWI) are set using the End User Authentication feature on the Quarantine tab of the PureMessage Manager. The default authentication method is to email a session ID to the end user. The alternate methods are to authenticate through an encrypted password file or using LDAP. All three methods are described below.
This default end user authentication method is based on emailing a generated session ID key to
the end user. The session ID key is invalid after the Session expiry
time, which is defined using abbreviation suffixes to specify the unit of time: "s"
(seconds), "m" (minutes), "h" (hours) and "w" (weeks). So, two days, three hours and twenty
minutes would be entered as
51h20m. The email sent to the end user is based on
an Email template, which can be modified if required. (We suggest that
you make any modifications to a copy or back up the original.)
When end users first access the web interface URL, (<EUWI_host>.<domain>28080), they are prompted to enter their email address and request a password. The generated session ID key is sent to the specified email address as their password. If the user requests a password multiple times, only the most recently generated password is valid. After receiving a password, end users can log in to the EUWI.
Password Text File Authentication
End user authentication can also be configured to use a text passwords flat-file database. To
configure this usage, change the
auth variable in the
enduser.conf configuration file (located by default in the
/opt/pmx6/etc/enduser directory) to
flat_file. Next, edit
the enduser_ui_user_passwords file, and add the desired usernames and
passwords using the commented examples in the file as a model. Restart the HTTP (RPC/UI) service
to make the changes active. After re-starting the EUWI, login authentication is controlled
according to the username/password combinations in
enduser_ui_user_passwords, so these passwords must be emailed to the end
There are three methods of storing each user's password: plain text (the default), crypt, and md5. To configure the password storage format, add the usernames and passwords to the enduser_ui_user_passwords file. Then, in the etc/enduser/auth.conf file, set the "crypt" option in the <Authenticator flat_file> -> <config> section to the desired method.
This is a slightly simpler process for end users because they do not need to request a password. It does require more work by the PureMessage administrator, as the end users' assigned passwords must be emailed to them along with the URL to access the EUWI.
End user authentication can also be configured to use an existing LDAP directory, such as Active Directory, Sun ONE Directory Server 5.2, and OpenLDAP. For more about configuring end user authentication, see the PureMessage Manager Reference. In general, specify the "host:port" of the LDAP server(s), the LDAP server's Distinguished Name(DN), a password to access LDAP server information, if required, the base DN for user accounts, and the filter translation of the field name for the LDAP data that you are querying.
Once LDAP authentication is configured, you must enable the End User Web Interface for LDAP.
In the etc/enduser/enduser.conf file, edit the
auth option so that it reads
auth=ldap. Restart the EUWI to make this change take effect.
Depending on whether you are authenticating users by email address or Active Directory ID, you may want to edit the login page for the EUWI so that it displays an appropriate message to your users. The template for this page can be found in lib/manager/HTTPD/tmpl/authorize.html.
All errors and warning messages returned from an LDAP server are placed in the var/log/manager/httpd_error.log file. All items related to LDAP Authentication are prefixed by the phrase "EU-LDAP-AUTH", making it easier to separate them from other entries in the log file.