Multimethod Authentication Module
AMPS includes a module that supports the commonly used infrastructure for enterprise authentication. In this release, the module includes support for LDAP or Kerberos authentication.
In this release, the multimechanism authentication module is provided with AMPS, but is not loaded by default. This module is an optional extension to the AMPS product, and while it is included with the AMPS distribution, the module must be explicitly loaded, enabled, and configured.
This module provides authentication, but does not provide an entitlement mechanism. When planning a strategy for securing AMPS using this module, you will also need to plan a strategy to manage entitlements.
When to Use the Multimechanism Authentication Module
60East recommends using this module when integrating AMPS authentication into an existing infrastructure. If your environment does not have an existing infrastructure that offers one of the authentication methods supported by this module, it is typically easier to use the HTTP authentication and entitlement module than it is to implement or deploy a new authentication system.
The AMPS Multimechanism authentication module can be a good option when:
The site has an existing authentication infrastructure for users that need to be authenticated to AMPS, and that infrastructure supports authentication using:
Kerberos, or
LDAP
The authentication infrastructure is relatively stable and well-supported, with support for adding AMPS to the set of applications that use this infrastructure.
Setting Authentication Mechanisms
To enable a particular authentication mechanism in the multimechanism authentication module, you simply provide configuration parameters for that mechanism.
For example, if you provide configuration parameters for an LDAP server, the module will enable LDAP. If you provide configuration parameters for Kerberos, the module will enable Kerberos.
When more than one authentication mechanism is enabled, the module will attempt to detect the authentication mechanism used for a given logon request based on the credentials provided. If the module cannot determine the mechanism to use for a given request, and there is more than one mechanism configured, the module defaults to the mechanism specified in the DefaultAuthenticationMechanism
in the module options.
Notice, however, that the module does not allow a mechanism that accepts arbitrary passwords (in this release, LDAP) to be configured with a mechanism that accepts passwords of a specific format (in this release, Kerberos). In this release, the practical result is that a given module can be configured to use Kerberos or LDAP for authentication, but cannot be configured to use both.
Configuring AMPS to use the Multimechanism Authentication Module
The multimechanism authentication module is included in the AMPS distribution, but is not loaded in AMPS by default. To load the module, add the following configuration item to the Modules
block in your AMPS configuration:
This module does not require any options as part of the module configuration and ignores any options provided when the module is loaded.
This module supports the following options when used in an Authentication
block:
Kerberos Options
LDAP Options
General Options
The module must be configured with at least one authentication method. Otherwise, the module fails to initialize and AMPS will halt the startup process.
For example, the following configuration loads the module and configures the module to use LDAP authentication by contacting the server myenterprise-auth-server
on port 9389
. In this case, the LDAP server does not require authentication. Otherwise, the configuration would provide the service account DN and password for the server.
The configuration below loads the module and configures the module to use Kerberos for clients that provide a Kerberos token on logon. For Kerberos, AMPS will use the SPN AMPS/host.domain.com
and the keytab file at /path/to/amps.keytab
.
Last updated