The authentication script is a special event that is raised whenever the user logs in, and then periodically to re-authenticate existing sessions without user interaction. You can access the script by going to the data view of the Application configuration record, then going to Advanced under that, then System Events. One of the events in that list will be called Authenticate.

You may need to create the Advanced section first, after that you can select System Events in the drilldown list on the hamburger menu:

In there you add a System Event and select Authenticate:

The script is invoked every time a user logs in. It will be invoked with #input having a UserName field for the user, and Password field for the entered password. The script should return an inserted &root/Users record with the necessary details filled in, in particular GroupNames which should be a comma-separated list of security roles. You should similarly set WorkerRoles to the same as GroupNames, or a comma-separated list of roles that are for identifying the user rather than applying permission-based filters.

A list of security functions available in DbfScript can be found here, with all Active Directory specific functions in the domain: namespace.

The following is an example script you can use for authentication that will use Microsoft Active Directory:

elevate on
// get the user information from Active Directory
var #adUser = domain:GetUser("some_domain", #input/UserName, #input/Password, #input/UserName, #input/Password)
// see if this user exists in our user database
var #urec = load(&root/Users[UserID=#input/UserName] with top 1)
var #isNew = false
if NotExists(#urec) then
      set #urec = new record for &root/Users
      set #isNew = true
end if
// transfer some information from the Active Directory entry
set #urec/UserID = #input/UserName
set #urec/FullName = #adUser/name
set #urec/EMail = #adUser/mail
set #urec/PowerUser = true
// we don't store the password in the database for security reasons
set #urec/Password = ""
// insert it into the database
if #isNew then
      insert #urec at &root/Users
else
      save noevents #urec
end if
// use some logic to determine which security roles they should have
// in this case, based on the department
if (Contains(#adUser/department, "Operations")) then
    // add the specific roles here...
    delete at GetPath(#urec)/Roles
    insert record ( RoleID="Operations" ) at GetPath(#urec)/Roles
end if
  
// here we set up GroupNames, based on the roles in the database
set #urec/GroupNames = "RestrictUserAccess," + str:Join(List(load(GetPath(#urec)/Roles) ,"RoleID"), ",", ",")
set #urec/WorkerRoles = #urec/GroupNames

return #urec

Notice in this script we are using domain:GetUser to retrieve the profile of the given user. You can also use domain:Update(domain, user, data, domainAdmin, domainAdminPassword) to modify details in the user's profile programmatically.

You can also optionally hard-code an administrator login override, which can be useful especially during the development stage. To do that, just insert some script like this at the beginning of your authentication script:

// see if this user exists in our user database
if (#input/UserName="admin") or (#input/UserName="Admin") then
        if NotExists(load(&root/Users[UserID="admin"] with top 1)) then
            if #input/Password = "your-admin-password") then
                var #urec = new record for &root/Users
                set #urec/UserID = "admin"
                set #urec/FullName = "admin"
                set #urec/EMail = ""
                set #urec/Admin = true
                call SetVal(#urec, "IsAdmin", true)
                set #urec/PowerUser = true
                // no password...
                set #urec/Password = ""
                return #urec
                exit script
            else
                error "Bad username / password"
            end if
        end if
end if

...and replace your-admin-password with the password of your choice (note: you could also use str:Encrypt and str:Decrypt to encrypt the password so it's not easily visible in the script). The way this script works, if you have an admin user in the Users tab, it will override the hard-coded password you specify here.

If the script returns null, it will instead try to use the details (including the stored password) in the Users tab to authenticate the user.

To deny a user access to the system, simply throw an error with the error statement. This error message will be displayed to the user, and they will not be able to log in to the system.