Address Manager includes a fully featured authentication subsystem, and it supports mixed-mode authentication through Kerberos, LDAP, Microsoft Active Directory, or RADIUS. Support for RSA SecurID is accomplished through the RADIUS authentication module.
Before Address Manager can exchange authentication information with a remote system, the authenticator must be defined and associated with an Address Manager user. For instructions on how to assign an authenticator to a user, refer to User groups.
You can add more than one authenticator to a user, so that a secondary authenticator can be used if the primary authenticator isn't available. Authenticators can be tested to confirm that Address Manager can communicator with the external service.
The Authenticators page lets you add external authenticators to the Address Manager system. Depending on the type of authenticator you choose, the Add Authenticators page displays different text fields.
To add an external authenticator:
- Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
- Under User Management, click Authenticators.
- Under Authenticators, click New.
Under Authenticator, select the type of authenticator
and assign it a name:
- Type—select Kerberos, LDAP,
Radius, or TACACS+.Note:
- When you create an authenticator for Microsoft Active Directory, select LDAP or Kerberos. If you intend to use an LDAP User Group, you should select LDAP, otherwise, select Kerberos. For more information on LDAP User Groups, refer to Adding LDAP user groups.
- If creating an RSA SecurID authenticator, select Radius.
- Name—type a name for the authenticator.
- Host—type the Fully Qualified Domain Name or IP
address for the authenticator.Attention: The Host field cannot contain underscore ( _ ) characters. If the FQDN of the host contains underscore characters, you must either enter the IP address of the host or modify the FQDN so that it does not contain underscore characters and enter the updated FQDN without underscore characters.
- Host (KDC)—appears when Kerberos is
selected as the type of authenticator. Type the fully qualified domain
name (FQDN) or IP address for the authenticator.Note: You can enter either a FQDN or an IP address in the Host field. The information typed in the Realm field must be uppercase (capital letters). Ensure that the time on the Kerberos server and on Address Manager is synchronized to be within one minute of each other.
- Type—select Kerberos, LDAP, Radius, or TACACS+.
- Under Additional Properties, set the authenticator properties. The fields available in this section will vary depending on the type of authenticator you have selected.
Under Secondary Authenticator, set the secondary
None—select if a secondary authenticator isn't needed.
Specific Authenticator—select an authenticator from the list to specify it as a secondary authenticator. If authentication can't be completed by the primary authenticator, the secondary authenticator will be used. Select BlueCat Address Manager Authenticator from the list to use Address Manager as the secondary authenticator.
- Under Change Control, add comments, if required.
- Click Add.