Working with Authentication and Passwords- Zend Server 6.3

Video

To better understand the procedures described in this topic, watch this video:

Changing Passwords

The following procedures explain how to change or reset user passwords.

Changing User Passwords Internally

The following procedure describes how to change user passwords from inside the Zend Server UI.

Note:

This procedure can only be performed when using Simple Authentication.

To change user passwords:

In the UI, go to Administration | Users.
In the Users Password Management area, select the user you wish to change the password for. This choice is only available for 'admin' users - the 'developer' can only change his own password.
Click Change password.
The Change Password dialog is displayed.

Enter your current and new passwords in the designated fields.
Click .
The new password is saved.

Changing User Passwords Externally

The following procedure describes how to reset a lost password from outside the Zend Server UI.

If you are using Extended Authentication, the procedure will also revert your authentication method back to Simple Authentication. Once you have accessed Zend Server with your new password, you can switch your authentication method. For more information, see Changing Authentication Methods below.

Note:

This procedure can only be performed by user 'admin'.

To reset your password:

In IBM i:

Use Setup menu option 1

If you are unable to change your password, refer to the Support Center for further information.

Changing Authentication Methods

The following procedures explain how to change your authentication method from Simple Authentication to Extended Authentication, and vise versa.

Simple authentication uses the internal authentication service provided with Zend Server, and is based on a username and password defined for each user. Extended Authentication allows users to authenticate with an external LDAP server.

Changing from Simple Authentication to Extended Authentication

Simple Authentication is the default authentication method in Zend Server. This procedure explains how to change to Extended Authentication. If you want to use LDAP over SSL, see Configuring LDAP over SSL or TLS.

Note:

This procedure can only be performed by user 'admin'.

Warning:

In case this procedure fails, you may find yourself unable to access Zend Server. If this occurs, change your password using an external utility. For more information, see Changing Passwords above.

To use Extended Authentication, and authenticate users with LDAP:

In the UI, go to Administration | Users.
In the top-right corner of the page, click .
The Change Authentication Settings wizard is displayed.

Configure your LDAP connection parameters:

LDAP Host - Host name of your LDAP server and port number (e.g., 10.1.9.2:123).
Base DN - Base domains for user authentication (e.g.,CN=Users,DC=support,DC=net).
Select an encryption type:
- Use SSL for the connection - Select to use SSL for the connection. This provides a cryptographically secure communication. It uses a certificate that has been signed by a trust point already held in the cacerts file, which holds all trusted certificate authorities. Alternatively, it can use a self-signed certificate that has been imported into the Java cacerts directory.
- Start TLS for the connection - Select to start TLS for the connection. This a different way of sending data than SSL, and requires a certificate.
- Do not use encryption - Select to not use any encryption method for your connection.

Click Next.
The Canonical Form dialog is displayed.

Select and configure the LDAP connection's canonical form (the username template the LDAP server is expecting), and relevant domain names:

Canonical Form - Click the drop-down menu to select a canonical form to use for authentication (Username only, Backslash, Principal).
Domain Name - Enter a domain name if you selected the Principal form (e.g., zend.net).
Short Domain Name - Enter a short domain name if you selected the Backslash form (e.g., zend).

Click Next.
The LDAP Server Details dialog is displayed.

Enter information about your LDAP server:

Server Type - Select the type of server used for LDAP authentication (Active Directory, LDAP server).
Groups Attribute - Enter the attribute of the user notating group membership (e.g., memberof, gidnumber).
Administrator Group - Enter an active directory group name to be assigned to administrators (e.g., rnd-us).

Important!

Be sure to enter the LDAP group name that is to be assigned to administrators. It is highly recommended this group be assigned in your LDAP server before the change to extended authentication, so that you may log in again immediately.

Click Next.
The Query Credentials dialog is displayed.

Enter the credentials used for performing authentication and for retrieving permission information about the user. These credentials are also needed for querying the active directory when using WebAPI:

Username DN - Username DN values for accessing directory information.
Directory Password - Password segment of directory credentials.

Note:

The format for the username DN information depends on the server type you selected in the previous step. If you selected "LDAP server", all DN information about the user must be specified. If you selected "Active Directory", only a username is required.

Click Next.
The Confirmation dialog is displayed.

Review the parameters you entered in the wizard, and enter your 'admin' password to save the new settings.
Click Submit.
Once submitted, you will be immediately logged out of the UI, and required to log in again using the newly configured authentication method. Enter your LDAP credentials to log in.

Warning:

In case this procedure fails, you may find yourself unable to access Zend Server. If this occurs, change your password using an external utility. For more information, see Changing Passwords above.

Changing from Extended Authentication to Simple Authentication

This procedure explains how to move back to Zend Server's default authentication method - Simple Authentication.

Note:

This procedure can only be performed by user 'admin'.

To use Simple Authentication:

In the UI, go to Administration | Users.
In the top-right corner of the page, click .
The Change Authentication Settings wizard is displayed.

Select Simple Authentication, and click Next.
The wizard displays the Summary dialog.

Enter your LDAP 'admin' password, and click Submit.
Once submitted, you will be immediately logged out of the UI, and required to login again using the newly configured authentication method.

Using Extended Authentication

Zend Server's Extended Authentication method allows administrators to assign a Zend Server user role (e.g., Developer) to an LDAP user group , awarding all users in the group all the associated user role permissions. This feature is especially useful for administrators with more than one remotely defined LDAP user groups, to whom he would like to assign different Zend Server user permissions.

In addition, administrators can assign an LDAP user group to an application managed by Zend Server, awarding all members of the group Zend Server DeveloperLimited user role permissions for the specified application.

Note:

For a breakdown of the differences between the various Zend Server user roles, see User Permissions.

Example Scenario

An administrator has two defined LDAP user groups: 'rnd-us', consisting of two veteran developers and 'rnd-uk', consisting of six novice developers. The production environment includes two applications, 'oldApp' and 'newApp'. The administrator would like to:

Assign 'rnd-us' user group with the Zend Server 'Administrator user role, thus granting all users in this group full production and development permissions.
Assign 'rnd-uk' with the Zend Server 'Developer' user role, thus granting all user in this group development permissions.
Assign 'rnd-us' to the 'newApp' application, thus granting all users in this group development access to this application.
Assign 'rnd-uk' to the 'oldApp' application, thus granting all users in this group development access to this application.

Note:

This procedure can only be performed by user 'admin'.

To define role and application groups:

In the UI, go to Administration | Users.
If you are using Simple Authentication, see instruction above to move to Extended Authentication.

In the relevant mapping area (Roles to groups or Applications to groups), enter your LDAP group name to map permissions to your organization's active directory group membership.
Click Store groups mapping.

Advanced - Integrating with a Customized Authentication Adapter

This procedure explains how to integrate Zend Server with an example customized authentication adapter. The provided example includes two CustomAuth adapters that return a successful result object for any input:

'CustomAuth\Authentication\Adapter\Adapter' is a simple adapter that authenticates and returns a result object. Please note that at the end of the authentication process you should set a role for the identity ('administrator', 'developer', 'developerLimited').
'CustomAuth\Authentication\Adapter\AdapterWithGroups' shows an adapter that is also a groups provider. These groups are to be provided by the authentication process and are then used to map the user permissions for his role and/or applications he has access to.

Warning!

This procedure requires that you view and access back-end application files which, in normal circumstances, should not be changed. For this reason, we highly recommend that you perform this task only if you clearly understand the supplied instructions.

To integrate with a customized authentication adapter:

Click here to download the customized authentication adaptor example. The module in this example relies on the Zend Server UI for operation, and shows the basic structure and requirements for creating a new authentication adapter.
Unpack the module into the 'gui/vendor' directory.
Add the 'CustomAuth' module to the end the list of modules in 'gui/config/application.config.php'.
In 'gui/config/zend_ui_user.ini', disable simple authentication:

[authentication]

simple = false

Add the adapter name to 'gui/config/zend_ui_user.ini':

[authentication]

simple = false

adapter = "CustomAuth\Adapter\AdapterWithGroups"

Configuring LDAP over SSL and TLS

When configuring LDAP authentication over SSL or TLS, the following additional configuration steps must be performed on the server running Zend Server before changing your authentication method.

Note:

In a clustered environment, each server must be independently configured.

Basic Configuration

To configure LDAP over SSL or TLS:

Create the LDAP configuration file: 'ldap.conf'.

Note:

In RPM Zend Server installations, this file already exists. Skip to step 3.
Save the 'ldap.conf' file, depending on the operating system you are using:
- Windows: C:\openldap\sysconf\
- Linux: /etc/ldap/ldap/conf/
In the 'ldap.conf' file, add the following line:

TLS_REQCERT never

Save the file.

Note:

When using the Basic Configuration, ZendServer will not attempt to validate the certificate provided by the LDAP server.

Advanced Configuration - Validating the Server Certificate

To configure LDAP over SSL or TLS:

Export Certificate Authority certificate to a file.
Convert the certificate file.
Store the new certificate file.
Modify the 'ldap.conf' file.

	Zend.com
	Knowledge Base
	Support Center
	Zend Forums
	DevZone
	PHP Manual

	Zend Server 6.2
	Zend Server 6.1
	Zend Server 6.0
	Zend Server 5.6