Multimethod Authenticator

Providing Replication Credentials with the AMPS Multimechanism Authenticator Module

AMPS includes a module that can provide credentials for outgoing replication connections, that is designed for use when the multimechanism authenticator module is in use for the destination AMPS instance.

In this release, this module can provide credentials for both LDAP and Kerberos authenticator mechanisms. This module is provided with AMPS, but it is not loaded by default. This module is an optional extension to the AMPS product and while it is included with the AMPS distribution, the module must be explicitly loaded, enabled, and configured.

When to Use the Multimechanism Authenticator Module

60East recommends using this module when a replication connection is authenticated and uses the AMPS multimechanism module with Kerberos configured. This module can also be useful when LDAP is configured, however, in many environments the password capabilities of the amps-default-authenticator module can be sufficient for LDAP authentication.

Setting Authentication Mechanisms

To enable a particular authentication mechanism in the multimechanism authenticator module, you simply provide configuration parameters for that mechanism.

For example, if you provide configuration parameters for an LDAP server, the module will enable LDAP. If you provide configuration parameters for Kerberos, the module will enable Kerberos.

Configuring AMPS to use the Multimechanism Authenticator Module

The multimechanism authenticator module is included in the AMPS distribution, but is not loaded in AMPS by default. To load the module, add the following configuration item to the Modules block in your AMPS configuration:

<Modules>
    ...

    <Module>
        <Name>multimech-authenticator</Name>
        <Library>libamps_multi_authenticator.so</Library>
    </Module>

    ...
</Modules>

This module does not require any options as a part of the module configuration and ignores any options provided when the module is loaded.

This module supports the following options when used in an Authenticator block:

Kerberos Options

Option Description

Option	Description
`Kerberos.Keytab`	Sets a keytab file to use for Kerberos authentication. This option must be set to the path of the file, which can be either an absolute path or a relative path based on the current working directory of the AMPS server process. When this option is specified, the module will provide Kerberos authentication and a `Kerberos.SPN` must be specified. There is no default for this parameter.
`Kerberos.SPN`	Sets the Service Principal Name (SPN) to use for Kerberos authentication. When this option is specified, the module will provide Kerberos authentication and a `Kerberos.Keytab` must be specified. There is no default for this parameter.

Kerberos.Keytab

Sets a keytab file to use for Kerberos authentication. This option must be set to the path of the file, which can be either an absolute path or a relative path based on the current working directory of the AMPS server process.

When this option is specified, the module will provide Kerberos authentication and a Kerberos.SPN must be specified.

There is no default for this parameter.

Kerberos.SPN

Sets the Service Principal Name (SPN) to use for Kerberos authentication.

When this option is specified, the module will provide Kerberos authentication and a Kerberos.Keytab must be specified.

There is no default for this parameter.

LDAP Options

Option Description

Option	Description
`LDAP.Username`	Sets the username to provide when authenticating to a destination that uses LDAP authentication.When this option is specified, the module will provide LDAP authentication. This parameter is required if the `LDAP.PasswordFile` parameter is specified.There is no default for this parameter.
`LDAP.PasswordFile`	Specifies the file name from which to read the password to provide when authenticating to a destination that uses LDAP authentication.When this option is specified, the module will provide LDAP authentication and an `LDAP.Username` must also be specified.There is no default for this parameter.

LDAP.Username

Sets the username to provide when authenticating to a destination that uses LDAP authentication.When this option is specified, the module will provide LDAP authentication. This parameter is required if the LDAP.PasswordFile parameter is specified.There is no default for this parameter.

LDAP.PasswordFile

Specifies the file name from which to read the password to provide when authenticating to a destination that uses LDAP authentication.When this option is specified, the module will provide LDAP authentication and an LDAP.Username must also be specified.There is no default for this parameter.

The module must be configured with at least one method for providing credentials. Otherwise, the module fails to initialize and AMPS will halt the startup process.

For example, the following configuration loads the module and configures the module to provide Kerberos tokens to the destination at my-failover-partner:4000.

<AMPSConfig>

    <Modules>
        ...

        <Module>
            <Name>multi-authenticator</Name>
            <Library>libamps_multi_authenticator.so</Library>
        </Module>

        ...
    </Modules>

    ...

    <Replication>

        ...

        <Destination>
            <Transport>

              <Type>amps-replication</Type>
              <InetAddr>my-failover-partner:4000</InetAddr>

              <Authenticator>
                   <Module>multi-authenticator</Module>
                   <Options>
                         <Kerberos.SPN>AMPS/host.domain.com</Kerberos.SPN>
                         <Kerberos.Keytab>/path/to/amps.keytab</Kerberos.Keytab>
                   </Options>
              </Authenticator>

            </Transport>
        </Destination>

     </Replication>

</AMPSConfig>

PreviousOptional Authenticator Modules NextCommand Execution Authenticator

Last updated 2 months ago