TechNote (Archived)

CPS: Configuration of Authentication Type in CPS

This TechNote describes the options for authentication configuration of Macromedia Contribute Publishing Server.

One of the advantages of using Macromedia Contribute Publishing Server (CPS) is the authentication of Contribute users when accessing web pages. Authentication is performed using either a list of users stored in CPS (File-based User Directory) or using an LDAP or Active Directory server.

Authentication when using File-based User Directory

File-based User Directory is appropriate for a small number of users and when there is no LDAP or Active Directory server available. Users are added manually to a list stored in CPS. User authenticationis provided using one ofthe two following options.

Password in file - the passwords are stored with the list of users.
(Password in) Windows domain - the users have their Windows network login password used as their CPS password. This authentication works only if the CPS server is running on a Windows machine, and it queries the Windows Network Domain for authentication. For more details please see Defining CPS to use Windows domain passwords for authentication (TechNote 2a983ee8).

Authentication using LDAP / Active Directory

This determines where CPS is going to look to verify the user name and password. Version 1.1 of Contribute Publishing Server expands the LDAP Bind setting into two settings, which are described last.

Password in Directory - used when a non-standard field is used to store the password within the LDAP server. This option applies in relatively few cases.
Windows Domain - allows the users to have their Windows network login password used as their CPS password. This authentication works only if the CPS server is running on a Windows machine, and it queries the Windows Network Domain for authentication. For more details please see Defining CPS to use Windows domain passwords for authentication (TechNote 2a983ee8). For an LDAP directory, the Windows authentication will be useful if your LDAP systems binding service is not configured and/or not associated with the users standard login procedure through Windows. Using an LDAP User Directory with Window Domain authentication works as long the users in the LDAP directory are also in the Windows Domain.
LDAP Bind - This method authenticates the user against the configured LDAP server and then validates the password provided. CPS version 1.1 added a setting "LDAP bind(auto-find user DN)".
LDAP bind(auto-find user DN) - the recommended option for LDAP configurations, since it is easier to set up and fits a wider range of configurations. This is identical to LDAP Bind authentication described below, except that instead of assembling the Distinguished Name (DN) manually, an LDAP call is made looking up the username in the LDAP branches specified in the User Search section of the configuration. If this user is found in any of the branches specified, an exact DN can be found and authentication is made on this DN.

Additional information about LDAP Bind

The LDAP server's Distinguished Name, a full LDAP address to the user, is created by adding tags to the beginning and end of the user's username. This is the LDAP information that surrounds the specific user name.

For example, a full LDAP Distinguished Name for user jsmith is "cn= jsmith,ou=SAN FRANCISCO,o=MyCompany". Username prefix specifies a string that is prepended to a user name for authentication, and in this case the prefix is "cn=" and the suffix is ",ou=SAN FRANCISCO,o=MyCompany" . An Active Directory system may also allow authentication based on a windows domain description: MyCompany\jsmith.

Many company's will set up their LDAP such that all employees in the LDAP system have the LDAP root level shortcut, so that all that is required is a prefix of "cn=" and the suffix can be left blank. If this isn't the case and your users are found in different LDAP branches, you may not be able to use the LDAP Bind option, you should use the LDAP Bind (auto-find user DN). The advantage of LDAP Bind is that it is quick and you have specific control of the DN generated.