System Administration Advanced

Lab 2

Module 2 — Authentication

 Estimated Time: 15 minutes

Goals To demonstrate how custom authentication plug-ins are written.

Tasks 1. Install and configure the sample authentication plug-in.

2. Install the Netegrity plug-in.
3. Configure and test an authentication threshold.
4. Configure the repository so that all user authentication is recorded in the
repository log.
5. Reset the authentication threshold to unlimited attempts.

Background

The instructions, below, specify the train repository and the dmadmin (installation owner) account
with the password training.

If your instructor assigned you different values for the repository, installation owner account, and
password, use the instructor-provided values instead. (You wrote them down at the beginning of lab
1.)

In addition, you will need access to a user account in the repository. This lab uses studentx for the user
account. If your instructor specifies a different account, use it instead.

Steps
1. Use the sub-steps below, install and configure your repository to use the sample plug-in,
[Link], as described in the sub-steps below:
The sample plug-in [Link] is designed to authenticate three users only, called
user1, user2 and user3 with respective passwords pass1, pass2 and pass3.
Note: In production, developers could write plug-ins to implement a customized authentication
program. They give you, the administrator, the .dll file for this program. These sub-steps
show how you, the administrator, would implement the customized plug-in.

Lab 2-1
© 2008 EMC Corporation. All rights reserved.
System Administration Advanced
Lab 2

1.1. Open a command prompt window:

1.1.1. Click the icon at the bottom of the Windows Desktop or select Start 
Programs  Accessories  Command Prompt.
1.2. At the command prompt, issue the change directory command:
cd \Documentum\product\6.5\install\external_apps\authplugins\sampleauth

1.3. At the command prompt, issue the dir command. Observe that the [Link]
file is present. This script creates three users, user1, user2 and user3.
1.4. At the command prompt, run [Link] script using the command line utility
iapi32 as shown below:
iapi32 train –Udmadmin –Ptraining –[Link]

This runs the [Link] program in the train repository as user dmadmin.
1.5. Bring up the Windows Explorer file browser by right-clicking the Start button on the
Desktop; select Explore.
1.5.1. Navigate to
C:\Documentum\product\6.5\install\external_apps\authplugins\sampleauth

1.6. Copy the [Link] file to the authentication plug-in location:

C:\Documentum\dba\auth\train.

1.7. Restart the repository, using Documentum Server Manager or Windows Services. If you
need guidance to perform this step, use the sub-steps below:
1.7.1. Launch Documentum Server Manager (Start  Programs  Documentum 
Documentum Server Manager) and select the Docbase tab.
1.7.2. Select your repository, and click Stop.
1.7.3. On the Documentum Server Manager window, with the repository still selected,
click the Start button to start the repository.
1.8. With Documentum Server Manager still loaded, click the View Log button to verify that
the plug-in has running, or look in the main server log file: ( C:\Documentum\dba\log\
[Link]) for an entry starting with:
"[DM_SESSION_I_AUTH_PLUGIN_LOADED]info".
When done, close the Log window.
1.9. Launch Documentum Administrator and log in to the train repository as user1, with
password pass1.
1.10. Click the Logout button.

Lab 2-2
© 2008 EMC Corporation. All rights reserved.
System Administration Advanced
Lab 2

 You configured your repository to use the sample plug-in, [Link]!

2. Follow the sub-steps below to install the Documentum Netegrity authentication plug-in. (Of
course, in order to fully utilize this plug-in, a Netegrity Policy Server would have to be
installed.)

2.1. Using Windows Explorer, navigate to the following directory:

C:\Documentum\product\6.5\install\external_apps\authplugins\netegrity

2.2. Copy the files dm_netegrity_auth.dll and dm_netegrity_auth.ini to the

authentication plug-in directory for your repository:
C:\Documentum\dba\auth\train

2.3. Open dm_netegrity_auth.ini and examine its contents. In this file, you can set all
mandatory Netegrity parameters as necessary.
2.4. Close the file.
2.5. Copy the supporting shared library file [Link] from:
C:\Documentum\product\6.5\install\external_apps\authplugins\netegrity

to:
C:\Documentum\product\6.5\bin

2.6. Using the same procedure that you performed in step 1.7 (and its sub-steps), use
Documentum Server Manager to restart the repository. When you are finished, do not
close the Server Manager window.

2.7. In Documentum Server Manager, in the Docbase tab, with your repository selected, click
the View Log button; verify that the plug-in has been loaded by looking for an entry
starting with

[DM_SESSION_E_AUTH_PLUGIN_LOAD_ERROR] info".

Note: The error message informs you that it failed to load the plug in. If you continue to
scroll to the right, you will see that this is because “Some mandatory parameters are
missing from the initialization file…” If you were going to use the Netegrity plug-in,
you would set the parameters in the dm_netegrity_auth.ini per the Netegrity
configuration at your site.

That since there is no Netegrity Policy Server available in the classrooms, the plug-in
will fail to load as indicated in the log file.

Lab 2-3
© 2008 EMC Corporation. All rights reserved.
System Administration Advanced
Lab 2

In production, you would enter the necessary parameters into the

dm_netegrity_auth.ini file and then you would re-start the repository.

2.8. Close the log file and then close Documentum Server Manager.

 You installed the Netegrity plug-in!

3. In this part of the lab you will configure and test an authentication threshold:

 Log on as the installation owner to configure the repository to limit user authentication
attempts to 2.

 Log on as user studentx (password studentx) to test your work. (Your instructor may
indicate a different user account; if so, use it instead.)

 View the repository log (C:\Documentum\dba\log\[Link]) to see that the studentx

account has been de-activated

 Log on as the installation owner to re-activate the studentx account

If you need guidance, use the sub-steps below:

3.1. Use Documentum Administrator to log in to the train repository as user dmadmin,
password training.
3.2. In the DA left frame, select Administration  Basic Configuration  Repository.
Your repository will be displayed.
3.3. Right-click the train repository configuration object; from the pop-up menu, select
Properties. The repository configuration object properties page appears.
3.4. Scroll down to the bottom and locate the field Maximum Authentication Attempts; set
the value to 2.
3.5. Click the OK button.
3.6. Log out of the repository.
3.7. Re-start the repository. (If you need guidance, look for the steps to do this earlier in this
lab.)
3.8. Using Webtop, log in as studentx, this time using an incorrect password. (The correct
password is studentx.) You will be informed that authentication for this user has failed.
3.9. Try re-entering the incorrect password two more times. As a result, user studentx will be
de-activated and all sessions owned by studentx will be disabled. Any subsequent re-

Lab 2-4
© 2008 EMC Corporation. All rights reserved.
System Administration Advanced
Lab 2

attempts of entering the correct password will result in an error message and that the
session is closed.
3.10. Navigate to: C:\Documentum\dba\log\[Link]
3.11. Open the file. A message is entered into the server log telling the user that the account
has been de-activated and how many sessions have been disabled.
3.12. Close the file.
3.13. To re-activate this user, using DA, log in to train repository as dmadmin, password
training.
3.14. In the DA left frame, select Administration  User Management  Users. The Users
page appears.
3.15. In the User Name field, enter studentx and then click Search. The studentx user should
now appear in the main frame of DA.
3.16. Right-click the user studentx, and from the pop-up menu, select Properties. The
properties page for this user appears.
3.17. Note that this user is inactive. From the State choice box, select Active, and click OK.
3.18. Using Webtop, log in as studentx to confirm that this account has been re-activated.
(The correct password for the studentx account is studentx.)
3.19. Logout and then close Webtop.

 You have configured and tested an authentication threshold!

4. Using the sub-steps below, configure the repository so that all user authentication is recorded in
the repository log.

4.1. In the left frame of DA, select Administration  Job Management  Administration
Methods.
4.2. Scroll down to the section with the heading, Trace Methods.
4.3. Click the link for the SET_OPTIONS method. The SET_OPTIONS page appears.
4.4. Notice that the contents of the Option textbox is trace_authentication.
4.5. Select the On checkbox and click Run. This configures the repository to log
authentication attempts. The method runs and returns True to confirm that the method
has run successfully.
4.6. Click the Close button. User log on authentication is enabled and will be recorded in the
repository log file.

Lab 2-5
© 2008 EMC Corporation. All rights reserved.
System Administration Advanced
Lab 2

4.7. In DA, log out of the repository.

4.8. Login again, using DA, as user dmadmin, password training.
4.9. In Windows, navigate to: C:\Documentum\dba\log\[Link]
4.10. Examine the end of the file and notice that an entry appears that a session has been
started for user dmadmin. If you were to scroll up in this file, you would notice any such
messages for dmadmin, even though you logged in to the repository earlier as that user.
That is because before you ran the SET_OPTIONS method, authentication was not
recorded in the repository log file.
4.11. Close the file when done.

 You configured the repository so that all user authentication is recorded in the
repository log!

5. Reset the authentication threshold to unlimited attempts:

5.1. In the DA left frame, select Administration  Basic Configuration  Repository.
Your repository will be displayed.
5.2. Right-click the train repository configuration object; from the pop-up menu, select
Properties. The repository configuration object properties page appears.
5.3. Scroll down to the bottom and locate the field Maximum Authentication Attempts; set
the value to 0. By setting this value to zero, you are effectively turning off this feature.
Users will be able to have unlimited login attempts. This may be appropriate for some
environments, where this feature could be construed as a nuisance. (Recall that by
default, this feature is not enabled. You had to enable it earlier in this lab exercise.)
5.4. Click the OK button.
5.5. Log out of the repository.
5.6. Re-start the repository. (If you need guidance, look for the steps which do this, earlier
in this lab.)

 You have reset the authentication threshold!

End of Lab

Lab 2-6
© 2008 EMC Corporation. All rights reserved.