Authentication record priority
Each authentication record has a priority. If a user is granted more than one authentication record, OpenText™ Analytics Database attempts to authenticate the user with the authentication record with the highest priority and rejects the user if authentication fails.
There are two ways to authenticate with a record other than that with the highest priority:
-
Fallthrough authentication: If authentication fails, the database attempts to authenticate the client with the record with the next highest priority.
-
Authentication filtering: Clients can send the credentials required for a particular authentication method to authenticate with a record that uses that method.
Determining authentication priority
The following factors contribute to an authentication record's priority, as reflected in the CLIENT_AUTH system table:
=> SELECT auth_name, auth_method, auth_priority, method_priority, address_priority FROM client_auth;
auth_name | auth_method | auth_priority | method_priority | address_priority
---------------+-------------+---------------+-----------------+------------------
ldap_auth | LDAP | 5 | 5 | 96
hash_auth | HASH | 5 | 2 | 126
tls_auth | TLS | 0 | 5 | 96
oauth_auth | OAUTH | 0 | 5 | 96
gss_auth | GSS | 0 | 5 | 96
trust_auth | TRUST | 0 | 0 | 96
reject_auth | REJECT | 0 | 10 | 96
(7 rows)
Note
Greater values indicate higher priorities. For example:
-
A priority of 10 is higher than a priority of 5.
-
A priority 0 is the lowest possible value.
Priorities are divided into tiers and listed in order of importance; in the event of a tie at one priority tier, the database checks the next priority tier. For example, if a user had both ldap and hash authentication records with an auth_priority of 5, the database would attempt to use the ldap authentication record because it has a greater method_priority value:
-
auth_priority: The priority explicitly set with ALTER AUTHENTICATION (default: 0). -
method_priority: The priority specific to the authentication method. These priorities are as follows:-
trust: 0 -
hash: 2 -
ldap: 5 -
tls: 5 -
oauth: 5 -
gss: 5 -
reject: 10
-
-
address_priority: The priority for IP address specified inHOST [ TLS | NO TLS ] 'host-ip-address'. This priority is determined by the size of the netmask of the address; fewer zeros indicate greater specificity, and therefore higher priority.LOCALhas the lowest priority: 0.
Setting authentication priority
To set authentication priority:
=> ALTER AUTHENTICATION authentication_name PRIORITY value;