Authentication record priority

Each authentication record has a priority.

Each authentication record has a priority. If a user is granted more than one authentication record, OpenText™ Analytics Database attempts to authenticate the user with the authentication record with the highest priority and rejects the user if authentication fails.

There are two ways to authenticate with a record other than that with the highest priority:

  • Fallthrough authentication: If authentication fails, the database attempts to authenticate the client with the record with the next highest priority.

  • Authentication filtering: Clients can send the credentials required for a particular authentication method to authenticate with a record that uses that method.

Determining authentication priority

The following factors contribute to an authentication record's priority, as reflected in the CLIENT_AUTH system table:

=> SELECT auth_name, auth_method, auth_priority, method_priority, address_priority FROM client_auth;
   auth_name   | auth_method | auth_priority | method_priority | address_priority
---------------+-------------+---------------+-----------------+------------------
 ldap_auth     | LDAP        |             5 |               5 |               96
 hash_auth     | HASH        |             5 |               2 |              126
 tls_auth      | TLS         |             0 |               5 |               96
 oauth_auth    | OAUTH       |             0 |               5 |               96
 gss_auth      | GSS         |             0 |               5 |               96
 trust_auth    | TRUST       |             0 |               0 |               96
 reject_auth   | REJECT      |             0 |              10 |               96
(7 rows)

Priorities are divided into tiers and listed in order of importance; in the event of a tie at one priority tier, the database checks the next priority tier. For example, if a user had both ldap and hash authentication records with an auth_priority of 5, the database would attempt to use the ldap authentication record because it has a greater method_priority value:

  1. auth_priority: The priority explicitly set with ALTER AUTHENTICATION (default: 0).

  2. method_priority: The priority specific to the authentication method. These priorities are as follows:

    • trust: 0

    • hash: 2

    • ldap: 5

    • tls: 5

    • oauth: 5

    • gss: 5

    • reject: 10

  3. address_priority: The priority for IP address specified in HOST [ TLS | NO TLS ] 'host-ip-address'. This priority is determined by the size of the netmask of the address; fewer zeros indicate greater specificity, and therefore higher priority. LOCAL has the lowest priority: 0.

Setting authentication priority

To set authentication priority:

=> ALTER AUTHENTICATION authentication_name PRIORITY value;

See also