Autentication

Authentication

There are two possible sources of credentials for users in an ACE installation: LDAP and a *NIX-like password file. At least one of the sources have to be configured for ACE to start correctly.

It's also possible to use both sources at the same time; users from both sources will then be used.

NOTE: In addition to being present in one of the configured authentication sources, a user must also have a user role definition in order to be able to authenticate. See UserRoles for more information.

Password file

The ACE security service will by default try to read user credentials through a password file located at /opt/ace/passwd inside the Content Service. There is no default password file shipped with ACE.

The password file is on the same format as *NIX /etc/passwd files:

# System users

user1:$1$SALT$YQNBYRN9kIvLkQIp4SpsO0
user2:$1$OTHERSAL$HWbaC1l6oscA8my7Tq0bi0

The hashedPassword part of each password file entry is on the format $1$salt$hashedPassword and can be generated using any standard *NIX toolchain such as openssl or perl / python. For example, the following will generate a new password entry string using openssl and MD5:

[user@host ~]# openssl passwd -1 -salt SALT PASSWORD
$1$SALT$YQNBYRN9kIvLkQIp4SpsO0

Any standard hashing algorithm (MD5, SHA-256, SHA-512 etc) is supported.

In order to add a custom password file, simply mount a new file onto /opt/ace/password in the Content Service container.

Configuration files such as the password file contains sensitive information. Always make sure to store such files securely and limit access to trusted staff. When mounting the password file inside Docker or Docker Swarm, it's advisable to use Docker Secrets.

LDAP

In addition to a password file, ACE can also authenticate using LDAP. However, only simple authentication is supported at this time. We recommend communicating with the LDAP server using SSL (ldaps).

Please see the Content Service configuration for more information.

Notes

ACE system users

IMPORTANT: ACE need access to a system user in run-time to function properly. If your LDAP server cannot be guaranteed to have a consistent up time, this user should be kept in an ACE password file (see above) instead.

The system user is called admin: this user is the default administrative user shipped with ACE. You can set any custom password for it.

Credentials source precedence

ACE will always try to locate user credentials using the ACE password file before attempting any configured LDAP server. Please note, however, that if a user is defined in both sources, but with conflicting passwords, any authentication attempts for such a user using the password defined in LDAP will be seen as an authentication FAILURE.