Use the attributes on the Array Manager Secure Global Desktop Login Properties panel to control how users log in to Secure Global Desktop.
The attributes apply to all array members and take effect immediately.
Attribute |
Command Line |
Description |
Login Theme |
--login-theme theme_name |
- Choose the login theme to be used across the array.
- The login theme determines the style and appearance of the page users see when logging in to Secure Global Desktop from a web browser.
Note This attribute is only used with the classic webtop. The browser-based webtop does not use login themes.
|
Use classic web server authentication |
--tarantella-config-components-webloginauthority 1 | 0 |
- Check the box to enable web server authentication for the classic webtop.
|
Use third party authentication |
--login-thirdparty 1 | 0 |
- Check the box to enable third party authentication for the browser-based webtop.
- Allows you to give webtops to users who have been authenticated by an external mechanism, such as web server authentication.
|
Search ENS for matching person |
For the classic webtop:
--login-web-ens 1 | 0
For the browser-based webtop:
--tarantella-config-login-thirdparty-searchens 1 | 0
|
- Check one or more boxes to select the search methods you want
Secure Global Desktop to use to determine the identity and
login profile of a
user who has been authenticated by an external authentication method.
- See web server/third party authentication for details.
- If more than one box is checked, the search methods are used in the
order shown above. However, neither web server authentication nor third
party authentication support ambiguous users and so the first match found
is used.
- If the searches do not produce a match, the standard login page
displays and the user must log in to Secure Global Desktop in the
normal way.
Note On the command line, there are separate commands for the classic and browser-based webtops. If you use the command line, we recommend you enable/disable the options for both webtops.
|
Search LDAP and use closest ENS match |
For the classic webtop:
--login-web-ldap-ens 1 | 0
For the browser-based webtop:
--tarantella-config-ldap-thirdpartyldapcandidate-useens 1 | 0
|
Search LDAP and use LDAP profile |
For the classic webtop:
--login-web-ldap-profile 1 | 0
For the browser-based webtop:
--tarantella-config-ldap-thirdpartyldapcandidate-useprofile 1 | 0
|
Use default profile |
For the classic webtop:
--login-web-profile 1 | 0
For the browser-based webtop:
--tarantella-config-login-thirdparty-allownonens 1 | 0
|
Tokens are valid for |
--login-web-tokenvalidity int |
- The validity period of the web server authentication token in seconds.
The number of seconds must be between
1 and 600 . The default value is 180 . - If web server authentication is enabled, when a user goes to the
http://server.example.com/tarantella URL,
the web server generates a token and this is accepted by the Secure Global Desktop server as proof of authentication.
Each token is valid only once. - The token may need to be valid for a few minutes to allow client devices to download the Secure Global Desktop
Java™ archive. If all users have the
archive already installed, you can reduce the validity period to a few
seconds.
- Reducing the token validity period may result in failed logins on slow networks.
- To ensure a token cannot be intercepted and used by a third party while still valid, use secure (HTTPS) web servers.
Note This attribute is only used for web server authentication with the classic webtop.
|
Web server username |
--login-web-user string |
- The username of the user that owns web server (httpd) processes.
- The default is
ttaserv as this is the user used by the Secure Global Desktop Web Server. - If you use your own web server, you must change this to the user you use
for your web server, typically
nobody . - This user is a trusted user for web authentication.
We recommend you restrict access to this user and you restrict the processes that run
as this user. It is more secure to have a user that is used to run the web server and nothing else.
- All web servers used in the array must use the same username.
- You must restart all array members for a change to this setting to take effect.
Note This attribute is only used for web server authentication with the classic webtop.
|
Anonymous user login authority |
--login-anon 1 | 0 |
- Check one or more boxes to enable those login authorities.
- The login authorities are listed in the order in which they are tried.
If one login authority authenticates the user, no more login authorities are tried.
- SecurID authentication is not supported on the Solaris Operating System on x86 platforms.
- The authentication token login authority can only be used when the Secure Global Desktop Client is operating in
integrated mode. The Native Client and Java technology clients do not support this login authority.
|
Authentication token login authority |
--login-atla 1 | 0 |
ENS login authority |
--login-ens 1 | 0 |
NT login authority |
--login-nt 1 | 0 |
LDAP login authority |
--login-ldap 1 | 0 |
Active Directory login authority |
--login-ad 1 | 0 |
UNIX group login authority |
--login-unix-group 1 | 0 |
UNIX user login authority |
--login-unix-user 1 | 0 |
SecurID login authority |
--login-securid 1 | 0 |
Windows NT Domain |
--login-nt-domain dom |
|
URL |
--login-ldap-url url |
|
Username/Password |
Use
tarantella passcache
new --ldap command. |
- The username and password of a user that has privileges to search an LDAP directory server/Active Directory server.
This is not required for some LDAP directory servers.
- For the LDAP login authority or third party/web server authentication, use a full username such as
cn=Bill Orange,cn=Users,dc=indigo-insurance,dc=com . - For the Active Directory login authority, use a user principal name such as
orange@indigo-insurance.com
Note For security reasons, the password is not displayed even if it has been previously set.
|
Use Certificates |
--login-ldap-pki-enabled 1 | 0 |
|
Base Domain |
--login-ad-base-domain dom |
- The domain the Active Directory login authority uses if users only supply a partial domain when they log in.
- For example, if the root domain is set to "indigo-insurance.com" and a user logs in with the username "rouge@west",
the Active Directory login authority tries to authenticate "rouge@west.indigo-insurance.com".
|
Default Domain |
--login-ad-default-domain dom |
- The domain the Active Directory login authority uses if users do not supply a domain when they log in.
- For example, if the default domain is set to "east.indigo-insurance.com" and a user logs in with the username "rouge",
the Active Directory login authority tries to authenticate "rouge@east.indigo-insurance.com".
|
Generate authentication tokens |
--login-autotoken 1 | 0 |
|
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.