  When users try to log into FirstClass, they are authenticated by either the FirstClass server or the external LDAP server (remote authentication). Which server does the authentication depends on the mode in which FCDS is running, and the server you chose for authentication when you configured your FirstClass server.
For external connections to FCDS, you can set FCDS to allow anonymous logins, secure connections (SSL), or both.
For remote authentications, you can specify an LDAP search filter. Only users who meet the filter requirements will be authenticated.
 NoteUsers can disallow remote authentication for a particular connection by selecting "FirstClass secure authentication only" on the Service Setup form.
Authentication and the FCDS mode
The FirstClass client supports cleartext passwords or passwords encrypted using MD5 or SHA hash algorithms.
For remote authentications, FCDS always passes cleartext passwords to the external LDAP server. At each login, users must enter their passwords, so that FCDS can pass this information in cleartext form to the external LDAP server. Users can't save passwords in their settings files, because the FirstClass client stores them in a hashed form that can't be converted to the cleartext form needed by FCDS. Users can save their user IDs, and this information, along with the typed passwords, will be sent in cleartext form.
Standalone mode
In standalone mode, all authentication and password maintenance is done by the FirstClass server.
Slave mode
In slave mode, you may be able to use either the FirstClass server or the external LDAP server to authenticate all users. Which server you can use depends on the type of LDAP server, and how it encrypts passwords.
Remote authentication and slave mode
If you choose either remote authentication or authentication by both servers, this will be the authentication method for all users owned by the external LDAP server. In the case of remote authentication only, if replicated users aren't authenticated on the external LDAP server, they won't be able to log into FirstClass.
If replication is disabled and hasn't taken place since FCDS was started, all users will be treated as if they were owned by the FirstClass server. In this case, a failure to authenticate on the external LDAP server will cause a fallback to authentication on the FirstClass server.
Master-slave mode
In master-slave mode, you may be able to use the external LDAP server to authenticate users owned by that server. This depends on the type of LDAP server, and how it encrypts passwords.
If you choose either remote authentication or authentication by both servers, this will be the authentication method for all users owned by the external LDAP server. Users owned by the FirstClass server will be authenticated by the FirstClass server.
Sun Microsystems iPlanet Directory Server considerations
The Sun Microsystems iPlanet Directory Server (iPlanet DS) can store passwords in either cleartext or encrypted form. Whichever form is used is the form in which passwords are replicated to the FirstClass Directory.
If passwords are cleartext, either the FirstClass server can authenticate logins or FCDS can pass user IDs and passwords to the iPlanet DS for authentication.
If passwords are encrypted, the iPlanet DS must authenticate logins.
Microsoft Active Directory considerations
Microsoft Active Directory (Active Directory) must do all password maintenance, encryption, storage, and authentication for users administered on it, because Active Directory doesn't replicate passwords to the FirstClass Directory.
|