Axigen authentication system

The Axigen Solution: Overview & Architecture

The authentication process is one of the most common safety measures used for any service. Axigen clusters also use authentication and support a wide variety of algorithms as well as password encryption.

Any Axigen cluster can make use of the two authentication methods available:

  • Internal Authentication - the account information defined and stored on the back-end is used to process the authentication request.
  • LDAP Authentication - the LDAP directory tree is used to search, retrieve and process the authentication request.

While using the internal Axigen authentication system, the password is retrieved by the server from its local user information data. The password is defined during the account creation process and can be changed at a later time, either by you or by the user from within the WebMail interface. This method does not require an LDAP server to be set up but is very slow by comparison.

LDAP authentication is very widely used in cluster setups because of the speed gain. Also, while using LDAP, the mapping system can be assigned to it and the resulting setup becomes a centralized configuration point for the proxy services. In addition, the LDAP server may already exist and contain the entries required, in which case the configuration overhead is reduced considerably.

The LDAP authentication isolates the process from the actual Axigen account defined. This can arise some unexpected results such as different passwords within the directory and the back-end server. While a user can still change its password from the WebMail interface, this password will not be updated in the LDAP tree structure and the user can become easily confused. To prevent such issues, a thorough synchronization process must be implemented within the cluster.

This type of authentication overrides the standard Axigen authentication method. As such, using LDAP to authenticate sessions for one service will also disable the internal authentication method for all services. LDAP authentication is performed using an LDAP connector that must be defined in advance. The directory tree must also be configured before the authentication process will succeed.

The authentication process consists of a three stage process:

  • LDAP query - During this stage, Axigen performs a lookup in the directory tree and expects the account password information as the result.
  • Credential information matching - Using the information gathered during the first stage, Axigen compares what the client provided against what LDAP returned.
  • Session authentication - If the above process was successful the session becomes authenticated.

If any of the above stages fail for some reason, the session will not be authenticated. Thus, for the account that requests an authentication, the LDAP server must be able to return an entry and a valid password property.

If LDAP authentication is enabled and an account exists on any back-end system but has not yet been defined in the LDAP directory tree, the user will not be able to authenticate, even though it will be able to receive messages.

To prevent any issues while using the LDAP authentication method, some type of consistency checks should be run against the user database available in the directory tree and the Axigen internal user list. If the results are not identical, some users will not be able to use the services.

 Similarly, if more than one entry is returned during an LDAP search for any account, only the first result will be taken into consideration. This may result in abnormal cluster behavior and some service users might not be able to log in.

 Authenticating users using an existing Active Directory service can be achieved by configuring the LDAP connector, used by Axigen, to use the directory service. This setup must be carefully tuned to match the current directory configuration.