Tarantella Login properties (array-wide)

Choose the login theme to be used across the array. The login theme determines the style and appearance of the page users see when logging in to Tarantella from a web browser.

--login-web-ldap-ens 1 | 0

--login-web-ldap-profile 1 | 0

--login-web-profile 1 | 0

• Search ENS for matching person - Searches ENS for a person object with a Name, Username or Email Address attribute that matches the user's web username.
  Profile used: Person object
• Search LDAP and use closest ENS match - Searches ENS for a person object with a Name, Username or Email Address attribute that matches the user's web username.
  Profile used: The first match of the following:
  1. A person object in ENS with the same name as the LDAP person object, allowing for differences in the naming system. For example, if the LDAP object cn=Indigo Jones,ou=Administration,o=Indigo Insurance is found, this login authority would search ENS for o=Indigo Insurance/ou=Administration/cn=Indigo Jones.
  2. A person object in ENS, with the name cn=LDAP Profile, in the same OU as the LDAP person object. For example, o=Indigo Insurance/ou=Administration/cn=LDAP Profile.
  3. A person object in ENS, with the name cn=LDAP Profile, in any parent OU for the LDAP person object. For example, o=Indigo Insurance/cn=LDAP Profile.
• Search LDAP and use LDAP User Profile - Searches an LDAP directory server for an object with a common name, Username or Mail attribute that matches the user's web username. Each attribute type is searched in turn until a match is found.
  Profile used: LDAP profile "o=Tarantella System Objects/cn=LDAP Profile"
• Use Web User Profile - No search is performed.
  Profile used: Web user profile "o=Tarantella System Objects/cn=Web User Profile"

Selecting a search method enables web server authentication.

If more than one box is checked, the search methods are used in the order shown above. However, web server authentication does not support ambiguous users and so the first match found is used.

If the searches do not produce a match, the standard login page displays and the user must log in to Tarantella in the normal way.

If web authentication is enabled, when a user goes to the Tarantella URL, the web server generates a token and this is accepted by the Tarantella server as proof of authentication. Each token is valid only once.

The token may need to be valid for a few minutes to allow client devices to download the Tarantella Java™ archive. If all users have the archive already installed, you can reduce the validity period to a few seconds.

We recommend you use secure (HTTPS) web servers to ensure a token can't be intercepted and used by a third party while still valid.

The default is ttaserv as this is the user used by the Tarantella Web Server.

If you use your own web server, you must change this to the user you use for your web server, typically nobody.

This user is a trusted user for web authentication. We recommend you restrict access to this user and you restrict the processes that run as this user. It is more secure to have a user that is used to run the web server and nothing else.

Note You must restart all array members for a change to this setting to take effect.

--login-ens 1 | 0

--login-nt 1 | 0

--login-ldap 1 | 0

--login-unix-group 1 | 0

--login-unix-user 1 | 0

--login-securid 1 | 0

Select the check box next to one or more login authorities to enable or disable them.

The login authorities are listed in the order in which they are tried. If one login authority authenticates the user, no more login authorities are tried.

The Anonymous user login authority is only available if you are using concurrent user licensing.

The SecurID^® login authority is only available if you have a Tarantella Security license key installed.

The location of the LDAP directory server used to authenticate users (if you are using the LDAP login authority) and/or to determine webtop content (if you are using web authentication or LDAP searches. The URL should take the form ldap://server:port /searchroot:

• server is the DNS name of the LDAP directory server.
• port is the TCP port on which the LDAP directory server listens for connections. You can omit this (and the preceding ":") to use the default port.
• searchroot is the position in the LDAP directory structure from which the LDAP login authority should start searching for matching users, for example dc=indigo-insurance,dc=com.

Use an ldaps:// URL if your LDAP directory server requires or allows SSL connections. To use SSL connections, you must also install the Tarantella Security Pack on each array member and Tarantella security services must be running.

Some LDAP directory servers don't need a username and password. Other LDAP directory servers require a username and password for a sufficiently privileged LDAP user: use a full username such as cn=Bill Orange,cn=Users,dc=indigo-insurance,dc=com.

Note For security reasons, the password is not displayed even if it has been previously set.