Server Authentication Michael Roth

Date 9/12/2007

Copyright © 2006-2007 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC2, EMC, and EMC Documentum product names are trademarks of EMC Corporation. All other trademarks used herein are the property of their respective owners. All other brand names are trademarks or registered trademarks of their respective owners.

Server Authentication

2

Table of Contents Overview.............................................................................................................. 4 Dm_checkpasswd............................................................................................... 4 Customizing dm_checkpasswd.................................................................................................... 4 Using Windows Active Directory Authentication on UNIX ........................................................... 5 Modifying the dm_check_password program........................................................................... 5 Setting auth_protocol ............................................................................................................... 6 Setting up the domain controller map ...................................................................................... 6 Setting the user_source Attribute ............................................................................................. 6

Custom Authentication Plug-ins ....................................................................... 7 Installation and Scoping of Plug-ins............................................................................................. 7 Defining a Plug-in Identifier ...................................................................................................... 7 Writing the Plug-in .................................................................................................................... 7 Tracing authentication plug-in operations ................................................................................ 8 Supporting Mix-Mode Authentication ....................................................................................... 8

Trusted logins ..................................................................................................... 8 Unified logins ...................................................................................................... 9 Appendix A – dmauthplug.h .............................................................................. 9 Appendix B – Sample dm_netegrity.log ......................................................... 14 Appendix C – Sample Docbase Log with Authentication Tracing Enabled . 15 Appendix D - Questionnaire............................................................................. 16

Server Authentication

3

Overview This paper will discuss the various mechanisms which the Documentum Content Server supports both out of the box and ways in which these mechanisms can be augmented or customized. By default the Content server supports authentication against the local operating system, LDAP repository, Active Directory (for Windows hosts only) and against a Netegrity policy server. As there are a variety of authentication mechanisms available there is a simple workflow that is used to determine how to authenticate the user: 1. 2. 3.

If the password field of the connect or authenticate api call starts with DM_PLUGIN= then the specified plugin will be used. If not, and if the user does not exist in the docbase, then authentication fails. If the user exists in the docbase, then check the user source for the authentication mechanism. a. If the authentication mechanism is marked as none then check host OS i. If host OS is windows, then use the internal windows authentication ii. If host OS is unix, then use the dm_checkpassword program.

Dm_checkpasswd The dm_checkpassword program is the default external program used by the content server to verify the user’s credentials against the host operating system, active directory or LDAP server (depending on the dm_user object configuration). On Unix systems this program is used to query against the local /etc/passwd file or LDAP server to verify a user’s password and on windows it will query the local (or specified) domain controller. It is possible to rebuild the dm_checkpasswd program on Unix based systems to query against a Windows domain (see below for instructions).

Customizing dm_checkpasswd Often it is necessary to modify or to write a custom dm_check_password program to accomplish the specific form of authentication which the client desires. It is possible in fact to complete replace the dm_checkpasswd program with another program entirely of the client’s design. In this way many 3rd party authentication can be accomplished via this mechanism. In order to replace the dm_check_password must accecpt the following command line argurments: [-silent] Run Silently, does not prompt for values [-trace] Trace the authentication being done [-v] verbose output [-d domain] optional domain to verify the user against (AD) [-p pdc] Specify the primary docmain controller to use [-b bdc] Specify the backup domain controller to use [-l first|only] Check locallay first (before domain) [-m first|only] Check the domain first / only [-a bind_search_dn | bind_by_dn] LDAP search modes [-h ] specify the ldap host to use. If the silent option is not chosen, then the dm_check_password program can be expected to run as such: starfish% dm_check_password -trace Enter user name: dmadmin Enter user password: Enter user extra #1 (not used): Enter user extra #2 (not used): pSPWD->sp_expire = -1

Server Authentication

4

pSPWD->sp_max = -1 pSPWD->sp_lstchg 10844 dm_check_password: Result = (0) = (DM_EXT_APP_SUCCESS) If the silent option is chosen, then the same inputs are expected, however the program should not print anything out. Once the customized dm_check_password is created, it will need to be installed under $DOCUMENTUM/dba/auth. When installing the dm_check_password program on a UNIX system, you must also ensure that the following criteria are met: • • •

The dm_check_password program is owned by root Its group ownership must be that of the Documentum administrators group The permissions must be set to 4550

Finally the Content Server will need to be configured to use this new program. In order to configure the content server, the following must be done: 1. 2.

Create a new dm_location object with the type of file pointing to the location of the new dm_check_password program. Modify the server config object, setting the validate user attribute to be the new location object which was created in step 1.

Using Windows Active Directory Authentication on UNIX It is not possible to authenticate users against a Windows Active Directory when the content server is installed out of the box on a Unix operating system (NB on a Windows operating system this is not an issue). In order to have this kind of authentication the following steps need to be taken: 1. 2. 3. 4.

Create a custom dm_check_password program which supports Windows Active Directory Set the auth_protocol attribute on the docbase config object to unix_domain_used. Setup a domain controller map Modify the user_source attribute for users in the repository.

Modifying the dm_check_password program In order to support Windows Domain authentication, you must recompile the dm_check_password program with the GNU SMB libraries. The steps to do so are as follows: 1. Obtain the GNU SMB library source code. This is available at Samba sites on the Web. (e.g. http://www.samba.org) 2. Build the GNU SMB library. 3. Copy the smbvalid.a library from the /smbval directory to the $DM_HOME/install/external_apps/checkpass directory. 4. Copy the valid.h file from the /include directory to the $DM_HOME/install/external_apps/checkpass directory. 5. In the $DM_HOME/install/external_apps/checkpass directory, open the make_check_prog script. 6. In the make_check_prog script, set the do_domain variable to -Ddomain_authentication. set do_domain = -Ddomain_authentication 7. Set the domain_lib variable to smbvalid.a. set domain_lib=smbvalid.a 8. Follow the other instructions in the comments to the make_check_prog script. 9. Run the make_check_prog script. A new dm_check_password program is produced. 10. Copy dm_check_password to the $DOCUMENTUM/dba directory. 11. Log in as root.

Server Authentication

5

12. Change the ownership of dm_check_password to root: chown root dm_check_password 13. Change dm_check_password’s group to the group defined for the Documentum installation. chown group_name dm_check_password 14. Change the permissions on dm_check_password: chmod 6711 dm_check_password

Setting auth_protocol You can use Administrator to edit the docbase config and set the auth_protocol to unix_domain_used.

Setting up the domain controller map The domain controller map specifies what Domain Controllers are available for authentication to the Content Server. The map is stored as a dm_auth_config object in the repository (one per repository). These objects can and should be managed using Administrator. The dm_auth_config object has 3 repeating values: • • •

domain_name, which stores the names of Windows domains primary_controller, which stores the names of the primary controllers for the domain backup_controller, which stores the names of the backup controllers for the domain

The values at a particular index position in the primary_controller and backup_controller attributes identify the primary and backup control. To define a domain controller map, modify the docbase config object using Documentum Administrator. The values entered in all three attributes must be in lowercase. Additionally, do not enter a fully qualified name for a primary or backup domain controller. Enter only the host name. Steps to do this are as follows: To create or modify a domain map: 1. Connect as a Superuser to the repository whose docbase config object you want to modify. 2. In the left-hand pane, click Configuration. 3. Click Repository. 4. View the properties for the repository. 5. In the Authentication Protocol section, choose Windows domain authentication. 6. Click Define Domain Map. 7. Click Add. 8. Type in a domain, the primary controller, and the backup controller. 9. Click Ok. 10. The domain is displayed on the Domain Map page. 11. To delete a domain, check the checkbox next to its name and click Remove. 12. To modify a domain, check the checkbox next to its name and click Edit 13. Click OK

Setting the user_source Attribute The final step is to update each of the users which need to be authenticated via the window’s domain controller. For each affected user, the user_source attribute will need to be updated to one of the following three values: • • •

domain only: The user is authenticated only against the windows domain controller UNIX first: The user is authenticated by checking the /etc/passwd or NIS server and then if that fails the windows domain controller domain first: The user is authenticated against the AD controller first, and then the local /etc/passwd and NIS database if that fails.

Server Authentication

6

Custom Authentication Plug-ins Authentication plug-ins are a shared library mechanism which the content server can use as an alternate means for authentication. Documentum currently ships an additional plug-in which is used to support Single Sing On (SSO) using Netegrity SiteMinder. Further plug-ins can be developed to support other forms of SSO (e.g. RSA) or some other method of authentication.

Installation and Scoping of Plug-ins For each plug-in, for it to be available to the content server it must be installed in $DOCUMENTUM/dba. Placing the plug-in in this location makes it available to all of the repositories which exist on that server. Should a plug-in only be needed for a specific repository then it should be installed to $DOCUMENUM/dba/. This way the plug-in will only be visible to the one repository. In addition, should the plug-in requires any additional libraries (e.g. the Netegrity plug-in requires the libsmagentapi.so library), these libraries should be placed under $DM_HOME/bin. If, on loading there is more then one plug-in with the same identifier, only the first one found will be loaded. All others will be ignored.

Defining a Plug-in Identifier Plug-in identifiers are defined as the return value of the dm_init method in the plug-in module’s interface. A plug-in identifier must conform to the following rules: • • •

It must be no longer than 16 characters. It cannot contain spaces or non-alphanumeric characters. It cannot use the prefix dm_. (This prefix is reserved for Documentum.)

To include a plug-in identifier in a connection request (to indicate that custom plug-in authentication should be used), the application must prepend the following syntax to the password argument: DM_PLUGIN=plugin_identifier/ Plug-in identifiers are accepted in all methods that accept a password as an argument (Assume, Authenticate, Connect, Changepassword, and Signoff).

Writing the Plug-in When creating a new plug-in you will need to create a new shared library (UNIX) or DLL (Windows). This library will need to implement the following interfaces: dm_init(void *inPropBag, void *outPropBag) This is called by Content Server when it starts up. The method must return the plug-in identifier for the module. The plug-in identifier should be unique among the modules loaded by a server. If it is not unique, Content Server uses the first one loaded and logs a warning in the server log file. dm_authenticate_user(void *inPropBag, void *outPropBag) Performs the actual user authentication dm_change_password(void *inPropBag, void *outPropBag) Changes a user’s password. dm_plugin_version(major, minor) Identifies the version of the interface in use. 1.0 is the only supported version.

Server Authentication

7

dm_deinit(void *inPropBag, void *outPropBag) Called by Content Server when the server shuts down. It frees up resources allocated by the module. The propBag objects are abstract objects used to pass the input and ouput values from each of the methods. The header file: $DM_HOME/install/external_apps/authplugins/include/dmauthplug.h defines what values are available (see the end of the document for a copy of the dmauthplug.h file). In your code you can access the variables in the inPropBag using code such as: char docbaseName[DM_MAX_DOCBASE_LEN] = "\0"; strcpy(docbaseName, dmGetProperty(inPropBag, DM_DOCBASE_NAME)); As for setting the values: dmSetProperty(outPropBag, DM_ERROR_MSG, "Sorry, I couldn't authenticate this user!"); There is a shell script (UNIX) which can be used to compile your plugin which can be found under: $DM_HOME/install/external_apps/authplugins/sampleauth which can be modified to support your plugin. Additionally, all plug-ins must link to the dmauthplug.lib file. (On UNIX, the dmauthplub.lib file is named dmauthplug.a.) This file is found in %DM_HOME%\install\external_apps\authplugins\include ($DM_HOME/install/external_apps/authplugins/include).

Tracing authentication plug-in operations Plug-ins are responsible for writing their own trace files. The trace level is determined by the DM_TRACE_LEVEL parameter in the input property bag. The initial value of the parameter is taken from the server start up flag -otrace_authentication. However, if a user issues a SET_OPTIONS administration method that changes the trace authentication level, the new level will be reflected in the plug-in tracing. The suggested location of the trace file is defined by the DM_LOGDIR_PATH parameter in the dm_init method.

Supporting Mix-Mode Authentication Often, custom plug-ins (such as the Netegrity on shipped by Documentum) are only usable by certain client applications (e.g. Webtop) and not others. To support this kind of environment, it is possible to utilize the custom plug-in from those apps which do support it. This is achieved by specifying a default authentication mechanism for all of the users (normally LDAP or Active Directory). For those applications for which the custom plug-in does apply, the application should create the passwords with the DM_PLUGIN= identifier as shown above. This will override the default user source and use the specified plug-in instead.

Trusted logins Trusted logins occur when the client is running on the same machine as the Content Server, the client user is the installation owner, and the installation owner’s domain is the same as that defined in user_auth_target.

Server Authentication

8

Unified logins Unified login is a feature available for users on Windows platforms. It allows the users to connect to a repository through Documentum Desktop using their Windows login credentials. To enable unified login: 1. 2.

Set the a_silent_login attribute of the server config object to T. Set the Use Windows Login option on the Desktop Client client interface for each repository for which you want to use unified login.

Refer to the Desktop Client online help for instructions.

Appendix A – dmauthplug.h /* ** ** ** ** ** ** */

dmauthplug.h This header file defines constants and structures needed to implement custom authentication plugins for the Documentum server.

/* ** Input property names passed in various methods. */ #define DM_USER_NAME "user_name" #define DM_USER_LOGIN_NAME "user_login_name" #define DM_USER_LOGIN_DOMAIN "user_login_domain" #define DM_USER_OS_NAME "user_os_name" #define DM_USER_OS_DOMAIN "user_os_domain" #define DM_USER_LDAP_DN "user_ldap_dn" #define DM_AUTH_TOKEN "authentication_token" #define DM_AUTH_TOKEN_OLD "old_authentication_token" #define DM_AUTH_TOKEN_NEW "new_authentication_token" #define DM_USER_ARG "user_arg" #define DM_DOCBASE_NAME "docbase_name" #define DM_SERVER_VERSION "server_version" #define DM_LOGDIR_PATH "logdir_path" #define DM_PLUGINDIR_PATH "plugindir_path" #define DM_TRACE_LEVEL "trace_level" #define DM_IS_TRACE_INIT "is_trace_init" /* ** Output property names passed in various methods. */ #define DM_PLUGIN_ID "plugin_id" #define DM_CODEPAGE "codepage" #define DM_ERROR_MSG "error_message" #define DM_TEMP_TOKENS "temp_tokens" /* ** List of supported code pages. */ #define DM_US_ASCII "US-ASCII"

Server Authentication

9

#define #define #define #define #define

DM_UTF_8 DM_ISO_8859_1 DM_Shift_JIS DM_EUC_JP DM_EUC_KR

"UTF-8" "ISO_8859-1" "Shift_JIS" "EUC-JP" "EUC-KR"

/* ** Some useful constants. */ #define DM_TRACE_ON "1" #define DM_TRACE_IS_INITIALIZED "1" #define DM_MAX_FILE_PATH_LEN 256 #define DM_MAX_ERROR_LEN 256 #define DM_MAX_DOCBASE_LEN 32 #if defined(WIN32) #define DM_OS_PATH_SEPARATOR '\\' #else #define DM_OS_PATH_SEPARATOR '/' #endif #define DM_TEMP_TOKENS_TRUE "1" #define DM_TEMP_TOKENS_FALSE "0"

#if defined(unix) #if defined (__cplusplus) extern "C" { #endif #endif /* Function: dm_plugin_version ** Purpose: Communicate the version of plugin protocol to DCTM ** ** Inputs: ** None ** Outputs: ** major Major version number ** minor Minor version number */ void dm_plugin_version(unsigned int *major, unsigned int *minor);

/* Function: dm_init ** Purpose: Initialize plugin specific global data structures and other. ** ** Inputs: ** inPropBag Collection of name/value pairs passed by the server. ** Use dmGetProperty to retrieve the values. ** DM_DOCBASE_NAME The name of the docbase ** DM_SERVER_VERSION Server version ** DM_LOGDIR_PATH Path to the log directory (usually $DOCUMENTUM/dba/log) ** DM_PLUGINDIR_PATH Directory where plugin is located ** DM_TRACE_LEVEL Trace level (0 = trace off; 1 = trace on) ** Outputs: ** outPropBag Collection of name/value pairs to pass back to the server ** The following properties must/can be set: ** DM_PLUGIN_ID Unique identifier of the authentication plugin. This value

Server Authentication

10

**must** be set! The ID can be max. 16 characters. ** DM_CODEPAGE Codepage that the plugin wishes to use. If not set, the values ** in inPropBag for future calls to dm_authenticate_user and ** dm_change_password will be passed in same codepage as server ** DM_TEMP_TOKENS Indicates if the plugin uses temporary tokens for authentication. ** If yes, set the value to DM_TEMP_TOKENS_TRUE, otherwise set it to ** DM_TEMP_TOKENS_FALSE or don't set it. This affects how the server ** will handle reauthentication attempts after session timeouts. ** If the tokens are temporary, the server will store them in memory after ** the initial connect call and use them for future reconnect attempts. If the ** tokens are not temporary, the plugin's dm_authenticate_method will be called ** for each reconnect with the same token. ** DM_ERROR_MSG Error message if applicable (255 chars max.) ** Returns: ** 0 in case of failure, 1 in case of success */ int dm_init(const void *inPropBag, void *outPropBag);

/* ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** has ** ** ** ** ** ** ** */ int

Function: dm_authenticate_user Purpose: Authenticate user credentials.

/*

Function: dm_change_password

Inputs: inPropBag

Collection of name/value pairs passed by the server. Use dmGetProperty to retrieve the values. DM_USER_LOGIN_NAME Login name of the user DM_USER_OS_NAME Operating system name of the user DM_USER_NAME User-friendly name of the user DM_USER_LDAP_DN LDAP Distinguished Name of the user DM_USER_LOGIN_DOMAIN Login domain of the user DM_USER_OS_DOMAIN Windows domain of the user DM_USER_ARG Optional extra argument DM_AUTH_TOKEN Authentication token DM_TRACE_LEVEL Trace level (0 = trace off; 1 = trace on) DM_IS_TRACE_INIT 0 = trace has not been initialized yet; 1 = trace been initialized

Outputs: outPropBag

Collection of name/value pairs to pass back to the server The following property can be set: DM_ERROR_MSG Error message if applicable (255 chars max.) Returns: 0 in case of failure, 1 in case of success dm_authenticate_user (const void *inPropBag, void *outPropBag);

Server Authentication

11

** ** ** ** ** ** ** ** ** ** ** ** ** ** ** has ** ** ** ** ** ** ** */ int

Purpose: Changes user's password. Inputs: inPropBag

Collection of name/value pairs passed by the server. Use dmGetProperty to retrieve the values. DM_USER_LOGIN_NAME Login name of the user DM_USER_OS_NAME Operating system name of the user DM_USER_NAME User-friendly name of the user DM_USER_LDAP_DN LDAP Distinguished Name of the user DM_USER_LOGIN_DOMAIN Login domain of the user DM_USER_OS_DOMAIN Windows domain of the user DM_AUTH_TOKEN_OLD Old authentication token DM_AUTH_TOKEN_NEW New authentication token DM_TRACE_LEVEL Trace level (0 = trace off; 1 = trace on) DM_IS_TRACE_INIT 0 = trace has not been initialized yet; 1 = trace been initialized

Outputs: outPropBag

Collection of name/value pairs to pass back to the server The following property can be set: DM_ERROR_MSG Error message if applicable (255 chars max.) Returns: false in case of failure, true in case of success dm_change_password(const void *inPropBag, void *outPropBag);

/* Function: dm_deinit ** Purpose: Deinitialize plugin specific resources. ** ** Inputs: ** inPropBag Collection of name/value pairs passed by the server. ** Use dmGetProperty to retrieve the values. ** DM_TRACE_LEVEL Trace level (0 = trace off; 1 = trace on) ** DM_IS_TRACE_INIT 0 = trace has not been initialized yet; 1 = trace has ** been initialized ** Outputs: ** outPropBag Collection of name/value pairs to pass back to the server ** Currently, no properties can be set. */ void dm_deinit(const void *inPropBag, void *outPropBag); /* ** Utility functions to manipulate propBags. */ void *dmCreatePropertyBag(); void dmDestroyPropertyBag(void *propBag); char *dmGetProperty(const void *propBag, const char *name); void dmSetProperty(void *propBag, const char *name, const char *value); typedef int (*dmPropBagIteratorCallback)(void *appdata, const char *name, const char *value); void dmIteratePropBag(void *propBag, void *appdata, void *iter); /*

Server Authentication

12

** Internal use only. */ void dm_cleanup(void *propBag);

#if defined(unix) #if defined (__cplusplus) } #endif #endif

Server Authentication

13

Appendix B – Sample dm_netegrity.log Documentum Authentication Plugin Trace File (c) Copyright Documentum, Inc., 2002 All rights reserved. 06/22/06 11:27:43 06/22/06 11:27:43 06/22/06 11:27:46 Address 06/22/06 11:27:49 Address 06/22/06 11:27:50 (SM_AGENTAPI_FAILURE)

Server Authentication

Initializing dm_netegrity plugin Instantiated SiteMinder agent Host 192.168.1.5 Timed-out.. Skipping 192.168.1.5 IP Host 192.168.1.6 Timed-out.. Skipping 192.168.1.6 IP Initialization failed: The server could not be reached

14

Appendix C – Sample Docbase Log with Authentication Tracing Enabled Wed Nov 8 12:06:42 2006 671609: 22684[22684] AT 22684: StartAuthenticateUserName: Wed Nov 8 12:06:42 2006 671731: 22684[22684] AT 22684: OtherNameForUser: auth_protocol() Wed Nov 8 12:06:42 2006 690294: 22684[22684] AT 22684: End-AuthenticateUserName: dm_user.user_os_domain() Wed Nov 8 12:06:42 2006 690381: 22684[22684] AT 22684: success Wed Nov 8 12:06:42 2006 690468: 22684[22684] AT 22684: Found dm_user.user_os_name(dmadmin), dm_user.user_os_domain() Wed Nov 8 12:06:42 2006 690561: 22684[22684] AT 22684: StartAuthenticateDomain:UserOSName(dmadmin), UserDomain(), auth_protocol() Wed Nov 8 12:06:42 2006 690667: 22684[22684] AT 22684: End-AuthenticateDomain: Wed Nov 8 12:06:42 2006 690768: 22684[22684] AT 22684: success Wed Nov 8 12:06:42 2006 690872: 22684[22684] AT 22684: StartAuthenticateUserState:UserOSName(dmadmin), UserDomain() Wed Nov 8 12:06:42 2006 690947: 22684[22684] AT 22684: StartAuthenticateUserState: Wed Nov 8 12:06:42 2006 691029: 22684[22684] AT 22684: dmStateForUser: auth_protocol() Wed Nov 8 12:06:42 2006 691114: 22684[22684] AT 22684: End-AuthenticateUserState: Wed Nov 8 12:06:42 2006 691175: 22684[22684] AT 22684: success Wed Nov 8 12:06:42 2006 691252: 22684[22684] AT 22684: StartAuthenticateUserByTicket:UserOSName(dmadmin), Wed Nov 8 12:06:42 2006 691351: 22684[22684] AT 22684: EndAuthenticateUserByTicket: Wed Nov 8 12:06:42 2006 691415: 22684[22684] AT 22684: failure Wed Nov 8 12:06:42 2006 691507: 22684[22684] AT 22684: StartAuthenticateByTrust:OSLogonName(dmadmin), UserOSName(dmadmin), OSLogonDomai n(), UserDomain() Wed Nov 8 12:06:42 2006 691609: 22684[22684] AT 22684: End-AuthenticateByTrust: Wed Nov 8 12:06:42 2006 691673: 22684[22684] AT 22684: success Wed Nov 8 12:07:23 2006 576430: 22703[22703] AT 22703: Start-AuthenticateUser: ClientHost(torham.corp.emc.com), LogonName(dmadmin), Logo nOSName(dmadmin), LogonOSDomain(), UserDomain(), ServerDomain() Wed Nov 8 12:07:23 2006 576686: 22703[22703] AT 22703: StartAuthenticateUserName: Wed Nov 8 12:07:23 2006 576815: 22703[22703] AT 22703: OtherNameForUser: auth_protocol() Wed Nov 8 12:07:23 2006 576958: 22703[22703] AT 22703: End-AuthenticateUserName: dm_user.user_os_domain() Wed Nov 8 12:07:23 2006 577024: 22703[22703] AT 22703: success Wed Nov 8 12:07:23 2006 577108: 22703[22703] AT 22703: Found dm_user.user_os_name(dmadmin), dm_user.user_os_domain() Wed Nov 8 12:07:23 2006 577199: 22703[22703] AT 22703: StartAuthenticateDomain:UserOSName(dmadmin), UserDomain(), auth_protocol() Wed Nov 8 12:07:23 2006 577324: 22703[22703] AT 22703: End-AuthenticateDomain: Wed Nov 8 12:07:23 2006 577390: 22703[22703] AT 22703: success

Server Authentication

15

Appendix D - Questionnaire 1. 2. 3. 4. 5.

What authentication mechanisms are supported out of the box? Is it possible to use Active Directory for Unix based repositories? What methods do a custom plug-in need to implement? How can you specify that a specific plug-in need to be used for authentication? How do you configure Unified Logins?

Server Authentication

16

About EMC EMC Corporation (NYSE: EMC) is the world leader in information storage systems, software, networks, and services, providing automated networked storage solutions to help organizations get the maximum value from their information, at the lowest total cost, across every point in the information lifecycle. Information about EMC’s products and services can be found at www.EMC.com About Documentum Software from EMC Documentum software from EMC Corporation includes enterprise content management solutions that enable organizations to unite teams, content, and associated business processes. With a single platform, EMC Documentum software enables people to collaboratively create, manage, deliver, and archive the content that drives business operations, from documents and discussions to e-mail, Web pages, records, and rich media. The Documentum enterprise content management platform makes it possible for companies to distribute all of this content in multiple languages, across internal and external systems, applications, and user communities. As a result of deploying Documentum, thousands of the world’s most successful organizations are harnessing corporate knowledge, accelerating time to market, increasing customer satisfaction, enhancing supply chain efficiencies, reducing operating costs, and improving their overall competitive advantage. For more information about Documentum enterprise content management, visit www.emc.com/documentum or call 800.607.9546 (outside the U.S.: +1.925.600.5802).

Server Authentication

17