User Management

Monitor manages users, but not passwords. Instead, the server can authenticate users against an LDAP system, or it can use the operating system as an authentication proxy.

The latter means that any user who can authenticate with the operating system can also log in to the Monitor interface with the same user name. The details of this process differ per platform, as described below.

Additionally, VovUserGroups can be created and used to assign roles. For example the vovusergroup utility can be utilized to create a VovUserGroup called "mygroup" that is based off a UNIX group, or LDAP group of the same name.

UNIX

% vovusergroup populate mygroup -unix mygroup

LDAP

% vovusergroup populate mygroup -ldap mygroup

This can be run manually, or more practically as a scheduled task. After the "mygroup" VovUserGroup exists, it can be assigned a security role as shown for the "queuemgrs" group in the Security Principles section.

LDAP Authentication

To enable LDAP authentication, first configure the LDAP interface as described in the LDAP Integration section of this manual. After the configuration has been performed and and tested, configure the product server to attempt authentication via LDAP by adding this line to the licmon.swd/policy.tcl file:

set config(enableLdap) 1

Once the line has been added, reread the change by resetting Monitor via the System page under the Admin tab, or by issuing the following commands at the CLI:

% vovproject enable licmon
% vovproject reread

OS-based Authentication on UNIX

When Monitor is running on UNIX, the pluggable authentication module system (PAM) is used. PAM is used in most situations and can be configured to authenticate against NIS or LDAP. If PAM is not configured on the server machine or the user is not successfully authenticated by PAM, the server will attempt to retrieve the password hash from the local password database and compare that against what is entered as the password in the web browser. This requires a utility to be present that can access the password database. The utility is created by running the following commands as root:

% cd $VOVDIR/..
% ./scripts/SETTASKERUID.csh

Again, this authentication mode is only used when PAM cannot service the authentication request and at no time is the password decrypted from its hashed form that is found in the local password database.

OS-based Authentication on Windows

When Monitor is running on Windows, the Windows API is used. The API supports both local and domain users. To log in as a local user, simply enter the user name. To log in as a domain user, use the format of domain/user. Note that Windows allows for mixed-case authentication (ie joe = Joe = JOE). This requires that the case for the security principle and/or tag data access configurations match the user name that is being used to log in. See below for more details on configuring security principles and tag data access.