Sybase Control Center can authenticate user logins through an LDAP server,
through the operating system, or both.
- Sybase Control Center can be configured to
authenticate through any LDAP server that supports the inetOrgPerson (RFC 2798)
schema.
- When Sybase Control Center authenticates through
the operating system, it uses the operating system of the
Sybase Control Center server machine (not the client).
Although you can create native user accounts in
Sybase Control Center, this approach to authentication is not
recommended. It is simpler and safer to configure Sybase Control Center
to authenticate using existing LDAP, Windows, or UNIX login accounts.
It is strongly recommended that you use a common authentication provider
for all Sybase products, including Sybase Control Center. A common
authentication provider ensures that single sign-on works for users of
Sybase Control Center and its managed servers.
Sybase Control Center requires each authenticated login account
to have a predefined role. When a login is authenticated, roles for the login are
retrieved by the security module and are mapped to Sybase Control Center
predefined roles. Authorization is resolved through the mappings between the security
module native roles and Sybase Control Center roles. You can enable
mappings by creating a “sybase” group in your operating system or LDAP server and adding
all Sybase Control Center users, or by modifying the
Sybase Control Center
role-mapping.xml file to configure the mapping of
native roles to Sybase Control Center roles. The security module
authenticates the logins and authorizes access to managed resources.
Sybase Control Center provides a set of predefined login
modules for authentication. All login modules are defined in the
<install_location>/SCC-3_2/conf/csi_config.xml file. The syntax is defined by the Sybase Common
Security Infrastructure (CSI) framework. You can configure the different login modules
to customize security strength. The login modules are:
- Preconfigured user login – defines a user name, password, and a
list of roles. The default user name is sccadmin; its password is configured
during installation and its native role is SCC Administrator, which maps to
sccAdminRole. You can create additional accounts by adding preconfigured user
login modules to csi_config.xml. However,
Sybase does not recommend the use of preconfigured user login modules for
authentication in production environments.
- NT proxy login – delegates authentication to the underlying
Windows operating system. When you log in to
Sybase Control Center through an NT Proxy Login module,
enter your user name in the format username@nt-domain-name. For
example, user@sybase. Windows authentication is enabled by default, but it
requires some configuration after an upgrade from SCC 3.2.5 or earlier.
- UNIX proxy login – delegates authentication to the underlying
UNIX or Linux operating system using Pluggable Authentication Modules (PAM).
When you log in to Sybase Control Center through a UNIX PAM,
enter your UNIX user name and password. UNIX authentication is enabled by
default, but it requires some configuration.
- LDAP login – delegates authentication to an LDAP server you
specify. When you log in to Sybase Control Center through an
LDAP server, enter your LDAP user name and password. LDAP authentication is not
enabled by default; you must configure the login module.