Authentication Concepts
The first thing that a client program must do is log in to Agent using a valid user name and password. Agent uses this information to verify that the user exists in the user database (called authentication database) and that the supplied password is valid. If the user is in fact who he or she claims to be, the user security settings are retrieved from the database and the values stored in it are used to determine the user access rights. Agent uses the following authentication databases:
- System Authentication Database. This is the user registry of the host operating system. This basically means that you can log on to Agent using an account that exists in the operating system of the Hardware Node. In fact, when Agent is first installed, the only account that you can use to log on to it is the system administrator account, such as the
root
user in Linux or the Administrator
user in Windows. By default, the host system administrator is granted all access rights in Agent, meaning that the user can execute any of the Agent API calls, and that the user has full access to the Hardware Node and all of its Virtuozzo Containers. - Parallels Internal Authentication Database. Virtuozzo Containers software comes with it's own internal authentication database. This database is used to store the Virtuozzo and Agent specific authentication information. For example, the built-in security roles used in Virtuozzo Tools are stored in this database. You can use this database to store your own Agent users. In addition, the database is used to store the Agent specific security profiles (permissions and access rights) for the users that are stored in the System Authentication Database (described above) and for the external users (described below).
- External Authentication Database (LDAP-compliant directory). The third authentication database type is an external LDAP-compliant directory, such as Active Directory or ADAM on Windows, or OpenLDAP on Linux. Agent can perform user authentication against an existing directory. This gives you flexibility to use existing user databases without duplicating the users in the Parallels Internal Database. The only thing that you will have to do is to create Agent security profiles for these users, which can be done through Virtuozzo Tools or programmatically through Agent. The security profiles will be stored in the Agent Internal Database and will be internally linked to the user accounts stored in the external LDAP directory. This way, you can authenticate a user against an external LDAP directory but the authorization of that user (determining the user access rights) will be performed using the user security profile in the Parallels Internal Database.
Please send us your feedback on this help page