Working with Authentication and Passwords
The following procedures explain how to use Zend Server's Simple and Extended authentication methods: changing and resetting passwords, switching authentication methods, and advanced procedures for working with Extended Authentication.
To better understand the procedures described in this topic, watch this video:
The following procedures explain how to change or reset user passwords.
Changing User Passwords Internally
The following procedure describes how to change user passwords from inside the Zend Server UI.
Note:
This procedure can only be performed when using Simple Authentication.
|
|
|
To change user passwords:
|
|
Changing User Passwords Externally
The following procedure describes how to reset a lost password from outside the Zend Server UI.
If you are using Extended Authentication, the procedure will also revert your authentication method back to Simple Authentication. Once you have accessed Zend Server with your new password, you can switch your authentication method. For more information, see Changing Authentication Methods below.
Note:
This procedure can only be performed by user 'admin'.
|
|
|
To reset your password: In Windows:
In IBM i:
Other operating systems:
|
Passwords can also be changed using the Support Tool. For more information, see Support Tool. If you are unable to change your password, refer to the Support Center for further information. |
The following procedures explain how to change your authentication method from Simple Authentication to Extended Authentication, and vise versa.
Simple authentication uses the internal authentication service provided with Zend Server, and is based on a username and password defined for each user. Extended Authentication allows users to authenticate with an external LDAP server.
Changing from Simple Authentication to Extended Authentication
Simple Authentication is the default authentication method in Zend Server. This procedure explains how to change to Extended Authentication. If you want to use LDAP over SSL, see Configuring LDAP over SSL or TLS.
Note:
This procedure can only be performed by user 'admin'.
Warning:
In case this procedure fails, you may find yourself unable to access Zend Server. If this occurs, change your password using an external utility. For more information, see Changing Passwords above.
|
|
|
To use Extended Authentication, and authenticate users with LDAP:
Important! Be sure to enter the LDAP group name that is to be assigned to administrators. It is highly recommended this group be assigned in your LDAP server before the change to extended authentication, so that you may log in again immediately.
Note: The format for the username DN information depends on the server type you selected in the previous step. If you selected "LDAP server", all DN information about the user must be specified. If you selected "Active Directory", only a username is required.
|
Warning: In case this procedure fails, you may find yourself unable to access Zend Server. If this occurs, change your password using an external utility. For more information, see Changing Passwords above. |
Changing from Extended Authentication to Simple Authentication
This procedure explains how to move back to Zend Server's default authentication method - Simple Authentication.
Note:
This procedure can only be performed by user 'admin'.
|
|
|
To use Simple Authentication:
|
The Zend Server authentication method can also be changed using the Support Tool. For more information, see Support Tool. |
Zend Server's Extended Authentication method allows administrators to assign a Zend Server user role (e.g., Developer) to an LDAP user group , awarding all users in the group all the associated user role permissions. This feature is especially useful for administrators with more than one remotely defined LDAP user groups, to whom he would like to assign different Zend Server user permissions.
In addition, administrators can assign an LDAP user group to an application managed by Zend Server, awarding all members of the group Zend Server DeveloperLimited user role permissions for the specified application.
Note:
For a breakdown of the differences between the various Zend Server user roles, see User Permissions.
Example Scenario
An administrator has two defined LDAP user groups: 'rnd-us', consisting of two veteran developers and 'rnd-uk', consisting of six novice developers. The production environment includes two applications, 'oldApp' and 'newApp'. The administrator would like to:
- Assign 'rnd-us' user group with the Zend Server 'Administrator user role, thus granting all users in this group full production and development permissions.
- Assign 'rnd-uk' with the Zend Server 'Developer' user role, thus granting all user in this group development permissions.
- Assign 'rnd-us' to the 'newApp' application, thus granting all users in this group development access to this application.
- Assign 'rnd-uk' to the 'oldApp' application, thus granting all users in this group development access to this application.
Note:
This procedure can only be performed by user 'admin'.
|
|
|
To define role and application groups:
|
|
Advanced - Integrating with a Customized Authentication Adapter
This procedure explains how to integrate Zend Server with an example customized authentication adapter. The provided example includes two CustomAuth adapters that return a successful result object for any input:
- 'CustomAuth\Authentication\Adapter\Adapter' is a simple adapter that authenticates and returns a result object. Please note that at the end of the authentication process you should set a role for the identity ('administrator', 'developer', 'developerLimited').
- 'CustomAuth\Authentication\Adapter\AdapterWithGroups' shows an adapter that is also a groups provider. These groups are to be provided by the authentication process and are then used to map the user permissions for his role and/or applications he has access to.
Warning!
This procedure requires that you view and access back-end application files which, in normal circumstances, should not be changed. For this reason, we highly recommend that you perform this task only if you clearly understand the supplied instructions.
|
|
|
To integrate with a customized authentication adapter:
[authentication] simple = false
[authentication] simple = false adapter = "CustomAuth\Adapter\AdapterWithGroups" |
|
When configuring LDAP authentication over SSL or TLS, the following additional configuration steps must be performed on the server running Zend Server before changing your authentication method.
Note:
In a clustered environment, each server must be independently configured.
Basic Configuration
|
|
|
To configure LDAP over SSL or TLS:
TLS_REQCERT never
|
Note: When using the Basic Configuration, ZendServer will not attempt to validate the certificate provided by the LDAP server. |
Advanced Configuration - Validating the Server Certificate
|
|
|
To configure LDAP over SSL or TLS:
|
|