Configuring End User Authentication

If you have granted end users access to the End User Web Interface (EUWI) to manage certain aspects of email-filtering, you must configure the method they will use to authenticate their identities when they log in. The Quarantine: End User Authentication page allows you to set the authentication method that is used to check their identity.

To set the end user authentication method:

Note
You can also configure PureMessage to use multiple forms of authentication. For example, your organization may use more than one type of LDAP to authenticate users. For instructions, see Configuring Multiple Authenticators in the Sophos Knowledgebase.
  1. In the Enduser section of the Quarantine tab's sidebar, click End User Authentication.

    The End User Authentication page is displayed.

  2. Select the option button for the end user authentication method that you want to use:
    • SessionID is emailed to user: This option generates a session ID that is emailed to the end user and is valid for a specified length of time. For this method, you must set the following options:
      • Email template: Specify the path and filename of the email template for the generated session ID that becomes the user's password.
      • Session expiry time: Specify the length of the end user login session.
      Note
      Use abbreviation suffixes to specify the unit of time: "s" (seconds), "m" (minutes), "h" (hours) and "w" (weeks). For example, to specify 20 minutes, enter "20m"; to specify an hour and a half, enter "1h30m".
    • Password database is kept in a plain text file: This option allows you to use a plain text password file consisting of a comma-separated list of one username and one password per line. This file may be encrypted. For this method, you must set the following options:
      • File path: Specify the path and filename of the password text file. The default is enduser/enduser_ui_user_passwords.
      • Encryption: Specify the encryption applied to the file. The recognized options are none, crypt or md5.
    • LDAP based authentication: This option allows you to use an existing LDAP server as the source for your end user lists and authentication. For this method, you must set the following options:
      • LDAP Server: Specify the 'host:port' of the server(s) to connect to when authenticating users via LDAP. To specify more than one LDAP host for failover (which is strongly advised), enter a semicolon-separated list of hosts. If no port is specified, port 389 is used by default.

        To use an encrypted LDAPS connection, simply prefix the host:port with ldaps://. For LDAPS connections, port 636 is used if no port is specified. For example:

        localhost:389 ldaps://ldap.mycompany.com
      • DN for binding to LDAP server: Specify the Distinguished Name (DN) used to connect to the LDAP server in order to query the Distinguished Name of the user the system is attempting to authenticate. This text box supports variable substitution (described below).
      • Password for binding to LDAP server: Specify the password used to connect to the LDAP server in order to query the Distinguished Name (DN) of the user that the system is attempting to authenticate. This DN and password should be granted minimal rights but must be able to perform a query to retrieve the DN for a user based on their provided username and ID.
      • Base DN for user accounts: Specify the top LDAP directory node from which the search is performed to retrieve the DN of the user to be authenticated. This text box supports variable substitution (described below).
      • Filter to find user account: Specify the LDAP query that is performed to retrieve the DN of the user account to be authenticated. This filter should only return a single result record. You may experience inconsistent behavior if the filter returns multiple results. This text box supports variable substitution (described on the ldap.conf man page).
        Note
        For LDAP, the configuration setting for the user account should be (sAMAccountName=%%username%%), not (uid=%%username%%).
    Variable substitution can be used in the DN for binding to LDAP server, Base DN for user accounts and Filter to find user account LDAP text boxes. Variable substitution permits the insertion of information as variables using a pre-defined syntax. The following variables are available for substitution:
    • %%username%% - The full username as provided by the user on the login page.
    • %%password%% - The full password as provided by the user on the login page.
    • %%bind_dn%% - The 'Bind DN' as specified in the configuration.
    • %%base_dn%% - The 'Base DN' as specified in the configuration.
    Note
    Advanced LDAP configuration options are available via ldap.conf, located by default in /pmx/etc/enduser/auth.d. Advanced options are described on the ldap.conf man page. These options are recommended for use by advanced administrators only.
  3. Click Save.

Testing Authentication

You can test any of the three authentication methods: SessionID, plain text file or LDAP-based authentication.

To test authentication:

  1. On the End User Authentication page, type an existing and known username and password in the appropriate text boxes.
    If you are testing LDAP authentication, the user's email address must be present in the user's LDAP profile or the test will fail.
  2. Click Test.