Users and Groups


The following sections describe users and groups in TIBCO Enterprise Message Service.

Users

Users are specific, named IDs that allow you to identify yourself to the server. When a client logs in, the connect request should be accompanied by a username and the password associated with the username.

In special cases, you may wish to allow anonymous access to the server. In this case, a connect request does not have to supply a username or password. To configure the server to allow anonymous logins, you must create a user named anonymous and specify no password. Anonymous logins are not permitted unless the anonymous user exists.
Clients logging in anonymously are only able to perform the actions that the anonymous user has permission to perform.

There is one predefined user, admin. The administrator user is set up when TIBCO Enterprise Message Service is installed, and this user performs administrative tasks, such as creating other users.

You can create and remove users and change passwords by specifying the users in the users.conf configuration file, using the tibemsadmin tool, or by using the administration APIs. For more information about specifying users in the configuration file, see users. For more information about specifying users using the tibemsadmin tool, see Chapter 8, Using the Administration Tool. For more information on the administration APIs, see the online documentation.

Groups

Groups allow you to create classes of users. Groups make access control administration significantly simpler because you can grant and revoke permissions to large numbers of users with a single operation on the group. Each user can belong to as many groups as necessary. A user’s permissions are the union of the permissions of the groups the user belongs to, in addition to any permissions granted to the user directly.

You can create, remove, or add users to groups by specifying the groups in groups.conf, using the tibemsadmin tool, or by using the administration APIs. For more information about specifying groups in the configuration file, see groups. For more information about specifying groups using the tibemsadmin tool, see Chapter 8, Using the Administration Tool. For more information on the administration APIs, see the online documentation.

Configuring an External Directory

You can define user authentication and group information either in EMS server configuration files, or in an external directory (such as an LDAP server).

External User Authentication

TIBCO Enterprise Message Service can be configured to authenticate users stored in an external directory server, such as an LDAP server.

The parameter user_auth in tibemsd.conf guides the EMS server when authenticating users. When a user attempts to authenticate to the EMS server, this parameter specifies the source of authentication information. This parameter can have one or more of the following values (separated by comma characters):

Each time a user attempts to authenticate, the server seeks corresponding authentication information from each of the specified locations in the order that this parameter specifies. The EMS server accepts successful authentication using any of the specified sources.

Group Information

Group information stored in an external directory can also be retrieved by the TIBCO Enterprise Message Service server. Static and dynamic groups are supported and you can configure the TIBCO Enterprise Message Service server to retrieve either or both.

Administration Commands and External Users and Groups

You can perform administrative commands on users and groups defined either locally (in the EMS server’s local configuration files) or in an external LDAP. Furthermore, you can combine users and groups that are defined in different locations (for example, you can to grant and revoke permissions for users and groups defined in an LDAP, or add LDAP-defined users to locally-defined groups).

Combining authentication sources requires that the configuration parameter user_auth includes both ldap and local.

When you attempt to view users and groups using the show user/s or show group/s commands, any users and groups that exist in external directories have an asterisk next to their names. Users and groups from external directories will only appear in the output of these commands in the following situations:

Therefore, not all users and groups defined in the external directory may appear when the show user/s or show group/s commands are executed. Only the users and groups that meet the above criteria at the time the command is issued will appear.

You can create users and groups with the same names as externally-defined users and groups. If a user or group exists in the server’s configuration and is also defined externally, the local definition of the user takes precedence. Locally-defined users and groups will not have an asterisk by their names in the show user/s or show group/s commands.

You can also issue the delete user or delete group command to delete users and groups from the local server’s configuration. The permissions assigned to the user or group are also deleted when the user or group is deleted. If you delete a user or group that is defined externally, this deletes the user or group from the server’s memory and deletes any permissions assigned in the access control list, but it has no effect on the external directory. The externally-defined user can once again log in, and the user is created in the server’s memory and any groups to which the user belongs are also created. However, any permissions for the user or group have been deleted and therefore must be re-granted.

Using LDAP Directory Servers

TIBCO Enterprise Message Service has been tested with the following external directory servers:

However, you should be able to use any external directory server that is compliant with LDAP V2.

Table 18, Configuration parameters (Sheet 1 of 28) describes the complete list of configuration parameters for configuring an external directory server. Table 30 describes parameter settings for default configurations of popular LDAP servers.

Table 30 Default configuration for popular LDAP servers (Sheet 1 of 2)
External Directory Server
Parameter Configuration
iPlanet
ldap_principal = cn=Directory Manager 
  
ldap_user_class = Person 
ldap_user_attribute = uid 
ldap_user_base_dn = ou=people, 
o=<your_organization> 
ldap_user_filter = 
(&(uid=%s)(objectclass=person)) 
  
ldap_group_base_dn = "ou=groups, 
o=<your_organization> 
ldap_group_filter = 
(|(&(cn=%s)(objectclass=groupofUniqueNames))(&
(cn=%s)(objectclass=groupOfURLs))) 
ldap_static_group_class = groupofuniquenames 
ldap_staic_group_attribute = cn 
ldap_static_member_attribute = uniquemember 
ldap_dynamic_group_class = groupofURLs 
ldap_static_group_member_filter = 
(&(uniquemember=%s)(objectclass=groupofuniquen
ames)) 
ldap_dynamic_group_class = groupofURLs 
ldap_dynamic_group_attribute = cn 
ldap_dynamic_member_url_attribute = memberURL 
Active Directory
ldap_principal = CN=Administrator, CN=Users, 
DC=<your_domain> 
  
ldap_user_class = user 
ldap_user_attribute = cn 
ldap_user_filter = (&(cn=%s)(objectclass=user)) 
  
ldap_group_filter = 
(&(cn=%s)(objectclass=group)) 
ldap_static_group_class = group 
ldap_static_group_attribute = cn 
ldap_static_member_attribute = member 
ldapt_static_group_member_filter = 
(&(member=%s)(objectclass=group)) 
Open LDAP
ldap_user_class = person 
ldap_user_attribute = cn 
ldap_user_base_dn = ou=people, 
dc=<your_domain_component>, dc=<your_domain_component> 
ldap_user_filter = (&(cn=%s)(objectclass=user)) 
  
ldap_group_base_dn = ou=groups, 
dc=<your_domain_component>, dc=<your_domain_component> 
ldap_group_filter = 
(&(cn=%s)(objectclass=groupofnames)) 
ldap_static_group_class = groupofnames 
ldap_static_group_attribute = cn 
ldap_static_member_attribute = member 
ldap_static_group_member_filter = 
(&(member=%s)(objectclass=groupofnames)) 
Novell
ldap_user_class = person 
ldap_user_attribute = cn 
ldap_user_base_dn = ou=people, 
o=<your_organization> 
ldap_user_filter = 
(&(cn=%s)(objectclass=person)) 
ldap_group_base_dn = ou=groups, 
o=<your_organization> 
ldap_group_filter = 
(&(cn=%s)(objectclass=groupofnames)) 
ldap_static_group_class = grouponames 
ldap_static_group_attribute = cn 
ldap_static_member_attribute = uniquemember 
ldap_static_group_member_filter = 
(&(uniquemember=%s)(objectclass=groupofnames)) 


TIBCO Enterprise Message Service™ User’s Guide
Software Release 4.3, February 2006
Copyright © TIBCO Software Inc. All rights reserved
www.tibco.com