About End User Authorization Methods

The authentication methods by which users access the End User Web Interface (EUWI) are set using the End User Authentication feature on the Quarantine tab of the PureMessage Manager. The default authentication method is to email a session ID to the end user. The alternate methods are to authenticate through an encrypted password file or using LDAP. All three methods are described below.

SessionID Authentication

This default end user authentication method is based on emailing a generated session ID key to the end user. The session ID key is invalid after the Session expiry time, which is defined using abbreviation suffixes to specify the unit of time: "s" (seconds), "m" (minutes), "h" (hours) and "w" (weeks). So, two days, three hours and twenty minutes would be entered as 51h20m. The email sent to the end user is based on an Email template, which can be modified if required. (We suggest that you make any modifications to a copy or back up the original.)

When end users first access the web interface URL, (<EUWI_host>.<domain>28080), they are prompted to enter their email address and request a password. The generated session ID key is sent to the specified email address as their password. If the user requests a password multiple times, only the most recently generated password is valid. After receiving a password, end users can log in to the EUWI.

Password Text File Authentication

End user authentication can also be configured to use a text passwords flat-file database. To configure this usage, change the auth variable in the enduser.conf configuration file (located by default in the /opt/pmx6/etc/enduser directory) to flat_file. Next, edit the enduser_ui_user_passwords file, and add the desired usernames and passwords using the commented examples in the file as a model. Restart the HTTP (RPC/UI) service to make the changes active. After re-starting the EUWI, login authentication is controlled according to the username/password combinations in enduser_ui_user_passwords, so these passwords must be emailed to the end users.

There are three methods of storing each user's password: plain text (the default), crypt, and md5. To configure the password storage format, add the usernames and passwords to the enduser_ui_user_passwords file. Then, in the etc/enduser/auth.conf file, set the "crypt" option in the <Authenticator flat_file> -> <config> section to the desired method.

This is a slightly simpler process for end users because they do not need to request a password. It does require more work by the PureMessage administrator, as the end users' assigned passwords must be emailed to them along with the URL to access the EUWI.

LDAP-Based Authentication

End user authentication can also be configured to use an existing LDAP directory, such as Active Directory, Sun ONE Directory Server 5.2, and OpenLDAP. For more about configuring end user authentication, see the PureMessage Manager Reference. In general, specify the "host:port" of the LDAP server(s), the LDAP server's Distinguished Name(DN), a password to access LDAP server information, if required, the base DN for user accounts, and the filter translation of the field name for the LDAP data that you are querying.

Once LDAP authentication is configured, you must enable the End User Web Interface for LDAP. In the etc/enduser/enduser.conf file, edit the auth option so that it reads auth=ldap. Restart the EUWI to make this change take effect.

Depending on whether you are authenticating users by email address or Active Directory ID, you may want to edit the login page for the EUWI so that it displays an appropriate message to your users. The template for this page can be found in lib/manager/HTTPD/tmpl/authorize.html.

All errors and warning messages returned from an LDAP server are placed in the var/log/manager/httpd_error.log file. All items related to LDAP Authentication are prefixed by the phrase "EU-LDAP-AUTH", making it easier to separate them from other entries in the log file.