Multimethod Authenticator
Providing Replication Credentials with the AMPS Multimechanism Authenticator Module
AMPS includes a module that can provide credentials for outgoing replication connections, that is designed for use when the multimechanism authenticator module is in use for the destination AMPS instance.
In this release, this module can provide credentials for both LDAP and Kerberos authenticator mechanisms. This module is provided with AMPS, but it is not loaded by default. This module is an optional extension to the AMPS product and while it is included with the AMPS distribution, the module must be explicitly loaded, enabled, and configured.
When to Use the Multimechanism Authenticator Module
60East recommends using this module when a replication connection is authenticated and uses the AMPS multimechanism module with Kerberos configured. This module can also be useful when LDAP is configured, however, in many environments the password capabilities of the amps-default-authenticator
module can be sufficient for LDAP authentication.
Setting Authentication Mechanisms
To enable a particular authentication mechanism in the multimechanism authenticator module, you simply provide configuration parameters for that mechanism.
For example, if you provide configuration parameters for an LDAP server, the module will enable LDAP. If you provide configuration parameters for Kerberos, the module will enable Kerberos.
Configuring AMPS to use the Multimechanism Authenticator Module
The multimechanism authenticator module is included in the AMPS distribution, but is not loaded in AMPS by default. To load the module, add the following configuration item to the Modules
block in your AMPS configuration:
This module does not require any options as a part of the module configuration and ignores any options provided when the module is loaded.
This module supports the following options when used in an Authenticator
block:
Kerberos Options
Option | Description |
---|---|
| Sets a keytab file to use for Kerberos authentication. This option must be set to the path of the file, which can be either an absolute path or a relative path based on the current working directory of the AMPS server process. When this option is specified, the module will provide Kerberos authentication and a There is no default for this parameter. |
| Sets the Service Principal Name (SPN) to use for Kerberos authentication. When this option is specified, the module will provide Kerberos authentication and a There is no default for this parameter. |
LDAP Options
Option | Description |
---|---|
| Sets the username to provide when authenticating to a destination that uses LDAP authentication.When this option is specified, the module will provide LDAP authentication. This parameter is required if the |
| Specifies the file name from which to read the password to provide when authenticating to a destination that uses LDAP authentication.When this option is specified, the module will provide LDAP authentication and an |
The module must be configured with at least one method for providing credentials. Otherwise, the module fails to initialize and AMPS will halt the startup process.
For example, the following configuration loads the module and configures the module to provide Kerberos tokens to the destination at my-failover-partner:4000
.
Last updated