Question about authentication

book

Article ID: 211767

calendar_today

Updated On:

Products

CA Harvest Software Change Manager

Issue/Introduction

What we want to do is that from the Workbench client and the Administrator Tool the operator user can connect without knowing the password to a harvest agent (solaris, linux, windows) either by trust keys, ssh, LDAP or double authentication factor.

Environment

Release : 13.0.3

Component : CA HARVEST SCM INFRASTRUCTURE (BROKER/AGENT/PEC/SECURITY)

Resolution

One thing you should know about the Harvest Agent is that it can run in 2 different modes:

- If the agent is started as a service on Windows, or from the "root" user ID on Unix / Linux, it is running in "Multi-user" mode. That means anyone who has permission to log in to the computer the agent is running on can connect to the agent with their own user ID and password login credentials.
- If the agent is started from a command prompt in Windows, or from a user ID other than the "root" user ID, it is running in "Single-user" mode. That means that all users connecting to that agent will use the same user ID and password. In this case, you choose the password when you start the agent process and it does not have to be the same as the Windows / Linux / Unix login password for the user ID.

In both cases, the user will use their own login credentials and will already know the password to use, or they will all use the same agent-specific user ID and password, and Windows / Linux / Unix password. for the agent, the user ID does not have to be supplied or known by users.

For "Multi-user" mode, the way users and passwords are authenticated can be configured in the HAgent.arg file:

- authmode = internal
  On Windows, this is the mode most often used because it allows the Windows operating system to authenticate in the same way that it would if the user logged on to the agent machine with Remote Desktop. If the Windows machine is a member of a domain, Windows automatically manages LDAP and you do not need to configure it separately for the agent.
  On Linux / Unix, the operating system tries to authenticate the user ID and password based on whether the user ID and password are in the local "passwd" file.
- authmode = openldap
  The operating system of the agent machine will use the settings in the HAgent.arg file to contact an LDAP server and authenticate the user ID that way.
- authmode = pam
  This mode is only available on Linux / Unix operating systems and makes use of the "Pluggable Authentication Module" (PAM) of the operating system to provide the specific method to authenticate users.

So, whether you run the Harvest agent in multi-user mode and allow users to provide their own user IDs and passwords (which they already know), or in single-user mode and provide an agent-specific password other than the same as the operating system password for the agent user ID, however the user does not need to know the login credentials of another user to use the Harvest agent.

Please let me know if this makes sense and is the information you need.