Chapter 12: Remote Authentication
188
2. CC-SG connects to the external server and sends the username and
password.
3. Username and password are either accepted or rejected and sent
back. If authentication is rejected, this results in a failed login
attempt.
4. If authentication is successful, authorization is performed. CC-SG
checks if the username entered matches a group that has been
created in CC-SG or imported from AD, and grants privileges
according to the assigned policy.
When remote authentication is disabled, both authentication and
authorization are performed locally on CC-SG.
User Accounts
User Accounts must be added to the authentication server for remote
authentication. Except when using AD for both authentication and
authorization, all remote authentication servers require that users be
created on CC-SG. The user's username on both the authentication
server and on CC-SG must be the same, although the passwords may
be different. The local CC-SG password is used only when remote
authentication is disabled. See Users and User Groups (on page 156)
for details on adding users who will be remotely authenticated.
Note: If remote authentication is used, users must contact their
Administrators to change their passwords on the remote server.
Passwords cannot be changed on CC-SG for remotely authenticated
users.
Distinguished Names for LDAP and AD
Configuration of remotely authenticated users on LDAP or AD servers
requires entering usernames and searches in Distinguished Name
format. The full Distinguished Name format is described in RFC2253
(http://www.rfc-editor.org/rfc/rfc2253.txt).
To configure CC-SG, you must know how to enter Distinguished Names
and the order in which each component of the name should be listed.
Specify a Distinguished Name for AD
Distinguished Names for AD should follow this structure. You do not
have to specify both common name and organization unit:
common name (cn), organizational unit (ou), domain component (dc)