BACK-END – IBM Directory (tab)
An IBM Security Directory Server record is required for OneSpan Authentication Server to forward authentication and accounting requests to a back-end IBM Security Directory Server.
Record changes (add, change, delete) will not take effect immediately on all OneSpan Authentication Server instances unless replication is used to synchronize the instances. If replication is not used, changes to records will take effect when each instance is restarted, once the change is available to it in its data store. Alternatively, if there is no restart, the record cache will refresh from the data store approximately every 15 minutes.
| Field name | Description |
|---|---|
| Enable SSL | Specifies whether to secure the connection to the back-end server using SSL. |
| Location | The IP address of the back-end server. |
| Port |
The port on which the back-end server receives and handles authentication requests. Possible values: 0–65535 |
| Timeout (seconds) |
The number of seconds to wait for a response from the server before either retrying or trying another server. Possible values: 1–999 |
| Search Base DN |
The distinguished name (DN) where the search for user accounts starts. |
| Security Principal DN |
The distinguished name (DN) of the user account used to access the back-end server and handle back-end authentication requests (security principal). The distinguished name must have permission to perform searches for users on the LDAP server. When a distinguished name is not supplied, the LDAP server must allow anonymous searches. |
| Security Principal Password |
The password of the user account used to access the back-end server and handle back-end authentication requests (security principal). |
| User Object Class Name | The name of the user object class to search within. |
| User ID Attribute Name | The name of the user attribute name to search on. |
| Attribute Mapping | |
| User Name Attribute Name | The LDAP attribute name to use as the user's display name. If user information synchronization is enabled, the user display name will be added to the user account during DUR user information synchronization. |
| Phone Attribute Name | The LDAP attribute name to use as the user's landline number. If user information synchronization is enabled, the user's landline number will be added to the user account during DUR user information synchronization. |
| Mobile Attribute Name | The LDAP attribute name to use as the user's mobile number. If user information synchronization is enabled, the user's mobile number will be added to the user account during DUR user information synchronization. |
| Email Attribute Name | The LDAP attribute name to use as the user's e-mail address. If user information synchronization is enabled, the user's e-mail address will be added to the user account during DUR user information synchronization. |
If the timeout is either not configured or set too low for LDAP back-end records, the LDAP query may time out. This will result in the denial of the login request. To verify if this occurred, verify the trace file to look for LDAP timeout messages.