Tarantella Administration Guide > Users and authentication > Login authorities

Login authorities

A login authority authenticates users using a particular method. Tarantella includes a number of login authorities as standard. For example, it can check the UNIX user database, or use an external mechanism such as an LDAP directory server. You enable and disable login authorities using Array Manager.

When a user tries to log in to Tarantella, each login authority is tried in turn in the following order:

If one login authority authenticates the user, no more login authorities are tried.

Login authorities also identify a login profile, a "template" object in the organizational hierarchy which defines the Tarantella- specific characteristics of the user such as their webtop.

The following sections explain the login authorities, how they are used to authenticate users and what login profiles users get.

Web server authentication

OverviewThis login authority allows access for users who have been authenticated by a web server. An object in ENS is used for the login profile.
Logging inThe user authenticates directly to the web server. The Tarantella login page only displays if the search for a login profile fails.
AuthenticationThis login authority allows access to users who have been authenticated by a web server. Tarantella trusts that the web server has authenticated the user correctly and so they are authenticated to Tarantella.
Login profile
  1. Once a user has been authenticated by a web server, Tarantella performs a search to see which login profile should be used. The login profile used depends on which of the following web authentication search methods succeeds:
    • Search ENS for matching person
      Searches ENS for a person object with a Name, Username or Email Address attribute that matches the user's web username.
      Profile used: Person object
    • Search LDAP and use closest ENS match
      Searches the LDAP directory server for a person object with a common name, Username or Mail attribute that matches the user's web username. Each attribute type is searched in turn until a match is found.
      Profile used: The first match of the following:
      1. A person object in ENS with the same name as the LDAP person object, allowing for differences in the naming system. For example, if the LDAP object cn=Indigo Jones,ou=Administration,o=Indigo Insurance is found, this login authority would search ENS for o=Indigo Insurance/ou=Administration/cn=Indigo Jones.
      2. A person object in ENS, with the name cn=LDAP Profile, in the same OU as the LDAP person object. For example, o=Indigo Insurance/ou=Administration/cn=LDAP Profile.
      3. A person object in ENS, with the name cn=LDAP Profile, in any parent OU for the LDAP person object. For example, o=Indigo Insurance/cn=LDAP Profile.
    • Search LDAP and use LDAP User Profile
      Searches the LDAP directory server for a object with a common name, Username or Mail attribute that matches the user's web username. Each attribute type is searched in turn until a match is found.
      Profile used: LDAP profile "o=Tarantella System Objects/cn=LDAP Profile"
    • Use Web User Profile
      No search is performed.
      Profile used: Web user profile "o=Tarantella System Objects/cn=Web User Profile"
    One or more of the search methods have to be enabled in Array Manager. The methods are tried in the order shown above. Web server authentication does not support ambiguous users and so the first match found is used.
  2. If the searches do not produce a match, the standard Tarantella login page displays. The user must log in to Tarantella so that another login authority can be tried.
NoteThis login authority is disabled by default.

For details on how to use the LDAP directory server search methods to determine the login profile, see Defining webtops for LDAP users using login profiles.

Anonymous user login authority

Overview

This login authority allows anonymous access to a Tarantella webtop. An ENS profile object is used for the login profile.

Logging in

The user leaves both username and password blank.

Authentication
  1. This login authority authenticates users if the username and password are both blank.
  2. If a username or password is supplied, the next login authority is tried.
  3. If both username and password are blank, then the user may log in.

Login profile

The ENS profile object o=Tarantella System Objects/cn=Anonymous Profile is used for the login profile.

Note

This login authority is only available if you are using concurrent user licensing and it is disabled by default.

ENS login authority

Overview

This login authority searches ENS, authenticating against the UNIX user database. An ENS person object is used for the login profile. This is the usual way users will log in to Tarantella.

Logging in

The user types either a common name (for example "Indigo Jones"), a username (for example "indigo") or an email address (for example "[email protected]").

Authentication
  1. This login authority searches ENS for a person object with a Name attribute that matches what the user typed. If there's no match, the search is repeated on the Username attribute, and finally on the Email Address attribute. If there's still no match, the next login authority is tried.
  2. If a match is found, the Username attribute of that object is treated as a UNIX username. This username, and the password supplied by the user, are checked against the UNIX user database using the standard system mechanisms for doing so.
  3. If the password doesn't match, the next login authority is tried.
  4. If the password matches then the user may log in, as long as the May Log In To Tarantella attribute for their person object is checked. If this attribute is cleared, the user may not log in and no further login authorities are tried.

Login profile

The matching person object is used for the login profile.

Note

If multiple matches are found for a Name, Username or Email Address, they are each checked against the password supplied. If more than one password matches, the user is prompted for additional identification information. For example, if two users have the same Name attribute and the same password, they are prompted for their Username.

NT login authority

Overview

This login authority authenticates against the NT domain controller. An object in ENS is used for the login profile.

Logging in

The user types either a common name (for example "Indigo Jones"), a username (for example "indigo") or an email address (for example "[email protected]").

Authentication
  1. This login authority searches ENS for a person object with a Name attribute matching what the user typed. If there's no match, the search is repeated on the Username attribute, and finally on the Email Address attribute.
  2. If a match is found, this ENS object is used as the profile object. The Username attribute of the object is treated as the NT username.
  3. If no match is found, the NT User Profile object is used as the profile object. The name the user typed is used as the NT username.
  4. The NT username, and the password typed by the user, are checked against the NT domain controller.
  5. If the password doesn't match, the next login authority is tried.
  6. If the password matches, the user may log in as long as the May Log In To Tarantella attribute for their person object is checked or they do not have an ENS object. If this attribute is cleared, the user may not log in and no further login authorities are tried.

Login profile

The first match of the following is used:

  1. A person object in ENS with an attribute matching what the user typed.
  2. The profile object o=Tarantella System Objects/cn=NT User Profile.

Note

The NT login authority uses any login domain information (from the Windows NT Domain field) from the Array Manager Tarantella Login Properties.

LDAP login authority

Overview

This login authority searches an external LDAP directory server, named on the Tarantella Login panel of Array Manager, authenticating against that server. An object in ENS is used for the login profile.

Logging in

The user types either a common name (for example "Indigo Jones"), a username (for example "indigo") or an email address (for example "[email protected]").

Authentication
  1. This login authority searches the LDAP directory server for a person object with a common name attribute that matches what the user typed. If there's no match, the search is repeated on the Username attribute, and finally on the Mail attribute. If there's still no match, the next login authority is tried.
  2. If a match is found, the password supplied by the user is checked against the LDAP person object.
  3. If the password doesn't match, the next login authority is tried.
  4. If the password matches, the login authority searches ENS for an object to use as the login profile (see below).
  5. If the May Log In To Tarantella attribute for the login profile is cleared, the user may not log in and no further login authorities are tried.

Login profile

The first match of the following is used:

  1. A person object in ENS with the same name as the LDAP person object, allowing for differences in the naming system. For example, if the LDAP object cn=Indigo Jones,ou=Administration,o=Indigo Insurance is found, this login authority would search ENS for o=Indigo Insurance/ou=Administration/cn=Indigo Jones.
  2. A person object in ENS, with the name cn=LDAP Profile, in the same OU as the LDAP person object. For example, o=Indigo Insurance/ou=Administration/cn=LDAP Profile.
  3. A person object in ENS, with the name cn=LDAP Profile, in any parent OU for the LDAP person object. For example, o=Indigo Insurance/cn=LDAP Profile.

Note

This login authority is disabled by default.

For details on how to use an LDAP directory server to determine the login profile, see Defining webtops for LDAP users using login profiles.

UNIX group login authority

Overview

This login authority authenticates against the UNIX user database. An object in ENS is used for the login profile.

Logging in

The user types a UNIX username, for example "indigo".

Authentication
  1. This login authority checks the username and password against the UNIX user database using the standard system mechanisms for doing so.
  2. If the password doesn't match, the next login authority is tried.
  3. If the password matches, the login authority searches ENS for an object to use as the login profile (see below).
  4. If the May Log In To Tarantella attribute for the login profile is cleared, the user may not log in and no further login authorities are tried.

Login profile

The login authority searches ENS for a person object cn=gid, where gid is the UNIX group ID. If found, this is used as the login profile.

Note Only the user's effective or primary group ID is used.

If not found, the ENS profile object o=Tarantella System Objects/cn=UNIX User Profile is used for the login profile.

UNIX user login authority

Overview

This login authority authenticates against the UNIX user database. An ENS profile object is used for the login profile.

Logging in

The user types a UNIX username, for example "indigo".

Authentication
  1. This login authority checks the username and password against the UNIX user database using the standard system mechanisms for doing so.
  2. If the password doesn't match, the user may not log in (this is the final login authority in the list).
  3. If the password matches then the user may log in.

Login profile

The ENS profile object o=Tarantella System Objects/cn=UNIX User Profile is used for the login profile.

SecurID login authority

Overview

This login authority authenticates against the RSA SecurID® product from RSA Security Inc. An object in ENS is used for the login profile.

Logging in

The user types their RSA SecurID username, for example "indigo".

Authentication
  1. This login authority searches ENS for a person object with a Name attribute matching what the user typed. If there's no match, the search is repeated on the Username attribute, and finally on the Email Address attribute.
  2. If a match is found, this ENS object is used as the profile object. The Username attribute of the object is treated as the RSA SecurID username.
  3. If no match is found, the SecurID User Profile object is used as the profile object. The name the user typed is used as the RSA SecurID username.
  4. The RSA SecurID username, and the passcode typed by the user, are checked against the RSA ACE/Server®.

Login profile

The first match of the following is used:

  1. A person object in ENS with an attribute matching what the user typed.
  2. The profile object o=Tarantella System Objects/cn=SecurID User Profile.

Note SecurID authentication does not support ambiguous users and so ambiguous login requests are denied.

Notes

This login authority is disabled by default.

The SecurID login authority is only available if you have a Tarantella Security license key installed.

Related topics
  • What is a login profile?
  • User types
  • Tarantella Login properties (array-wide)
  • Person object
  • Introducing SecurID authentication
  • Using Tarantella with an LDAP directory server
  • How do I enable the NT login authority?
  • Introducing web server authentication