The following sections describe users and groups in TIBCO Enterprise Message Service.
Users are specific, named IDs that allow you to identify yourself to the server. When a client logs in, the connect request should be accompanied by a username and the password associated with the username.
There is one predefined user, admin
. The administrator user is set up when TIBCO Enterprise Message Service is installed, and this user performs administrative tasks, such as creating other users.
You can create and remove users and change passwords by specifying the users in the users.conf
configuration file, using the tibemsadmin
tool, or by using the administration APIs. For more information about specifying users in the configuration file, see users. For more information about specifying users using the tibemsadmin
tool, see Chapter 8, Using the Administration Tool. For more information on the administration APIs, see the online documentation.
Groups allow you to create classes of users. Groups make access control administration significantly simpler because you can grant and revoke permissions to large numbers of users with a single operation on the group. Each user can belong to as many groups as necessary. A user’s permissions are the union of the permissions of the groups the user belongs to, in addition to any permissions granted to the user directly.
You can create, remove, or add users to groups by specifying the groups in groups.conf
, using the tibemsadmin
tool, or by using the administration APIs. For more information about specifying groups in the configuration file, see groups. For more information about specifying groups using the tibemsadmin
tool, see Chapter 8, Using the Administration Tool. For more information on the administration APIs, see the online documentation.
You can define user authentication and group information either in EMS server configuration files, or in an external directory (such as an LDAP server).
TIBCO Enterprise Message Service can be configured to authenticate users stored in an external directory server, such as an LDAP server.
The parameter user_auth
in tibemsd.conf
guides the EMS server when authenticating users. When a user attempts to authenticate to the EMS server, this parameter specifies the source of authentication information. This parameter can have one or more of the following values (separated by comma characters):
Each time a user attempts to authenticate, the server seeks corresponding authentication information from each of the specified locations in the order that this parameter specifies. The EMS server accepts successful authentication using any of the specified sources.
Group information stored in an external directory can also be retrieved by the TIBCO Enterprise Message Service server. Static and dynamic groups are supported and you can configure the TIBCO Enterprise Message Service server to retrieve either or both.
You can perform administrative commands on users and groups defined either locally (in the EMS server’s local configuration files) or in an external LDAP. Furthermore, you can combine users and groups that are defined in different locations (for example, you can to grant and revoke permissions for users and groups defined in an LDAP, or add LDAP-defined users to locally-defined groups).
![]() |
Combining authentication sources requires that the configuration parameter
user_auth includes both ldap and local .
|
When you attempt to view users and groups using the show user/s
or show group/s
commands, any users and groups that exist in external directories have an asterisk next to their names. Users and groups from external directories will only appear in the output of these commands in the following situations:
Therefore, not all users and groups defined in the external directory may appear when the show user/s
or show group/s
commands are executed. Only the users and groups that meet the above criteria at the time the command is issued will appear.
You can create users and groups with the same names as externally-defined users and groups. If a user or group exists in the server’s configuration and is also defined externally, the local definition of the user takes precedence. Locally-defined users and groups will not have an asterisk by their names in the show user/s
or show group/s
commands.
You can also issue the delete user
or delete group
command to delete users and groups from the local server’s configuration. The permissions assigned to the user or group are also deleted when the user or group is deleted. If you delete a user or group that is defined externally, this deletes the user or group from the server’s memory and deletes any permissions assigned in the access control list, but it has no effect on the external directory. The externally-defined user can once again log in, and the user is created in the server’s memory and any groups to which the user belongs are also created. However, any permissions for the user or group have been deleted and therefore must be re-granted.
TIBCO Enterprise Message Service has been tested with the following external directory servers:
However, you should be able to use any external directory server that is compliant with LDAP V2.
Table 18, Configuration parameters (Sheet 1 of 28) describes the complete list of configuration parameters for configuring an external directory server. Table 30 describes parameter settings for default configurations of popular LDAP servers.
TIBCO Enterprise Message Service™ User’s Guide Software Release 4.3, February 2006 Copyright © TIBCO Software Inc. All rights reserved www.tibco.com |