The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an OpenLDAP/Kerberos server:

Similar documents
The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

1 Introduction. Windows Server & Client and Active Directory.

exacqvision Web Service User Manual (updated December 15, 2014)

exacqvision Web Service User Manual (updated April 04, 2016)

INUVIKA TECHNICAL GUIDE

Configuring Sponsor Authentication

CA Performance Center

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

PineApp Surf-SeCure Quick

Using Active Directory as your Solaris Authentication Source

Security Provider Integration Kerberos Authentication

IIS, FTP Server and Windows

VMware Identity Manager Administration

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

RHEL Clients to AD Integrating RHEL clients to Active Directory

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

PriveonLabs Research. Cisco Security Agent Protection Series:

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

How To - Implement Single Sign On Authentication with Active Directory

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Integrating EJBCA and OpenSSO

HP Device Manager 4.7

Guide to SASL, GSSAPI & Kerberos v.6.0

Dynamic DNS How-To Guide

CYAN SECURE WEB HOWTO. NTLM Authentication

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Enterprise Apple Xserve Wiki and Blog using Active Directory. Table Of Contents. Prerequisites 1. Introduction 1

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Configuring and Using the TMM with LDAP / Active Directory

User Source and Authentication Reference

Active Directory 2008 Implementation. Version 6.410

exacqvision IP Camera Quickstart Guide

Configuring User Identification via Active Directory

HP Device Manager 4.6

VMware Identity Manager Administration

Chapter 3 Authenticating Users

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

Skyward LDAP Launch Kit Table of Contents

Active Directory Integration

SUSE Manager 1.2.x ADS Authentication

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Chapter Thirteen (b): Using Active Directory Integration

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

Dell Proximity Printing Solution. Installation Guide

1 Requirements. 2 Configuration. Axis-compatible Camera Application Integration.

Summary. How-To: Active Directory Integration. April, 2006

Big Data Operations Guide for Cloudera Manager v5.x Hadoop

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

NAS 109 Using NAS with Linux

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Install and Configure Oracle Outlook Connector

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Windows 2000 Active Directory Configuration Guide

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Integrating with IBM Tivoli TSOM

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

Configuring Hadoop Security with Cloudera Manager

Author: Joshua Meckler

Integrating OID with Active Directory and WNA

Using LDAP for User Authentication

SAP SINGLE SIGN-ON AND SECURE CONNECTIONS VIA SNC ADAPTER. Author : Matthias Schlarb, REALTECH system consulting GmbH. matthias.schlarb@realtech.

Security Provider Integration Kerberos Server

System Administration and Log Management

Architecting the Future of Big Data

Livezilla How to Install on Shared Hosting By: Jon Manning

Kerberos and Windows SSO Guide Jahia EE v6.1

SSSD Active Directory Improvements

Configuring idrac6 for Directory Services

Dell Compellent Storage Center

Defender Token Deployment System Quick Start Guide

NSi Mobile Installation Guide. Version 6.2

HRSWEB ActiveDirectory How-To

Centrify Identity and Access Management for Cloudera

Reconfiguring VMware vsphere Update Manager

Univention Corporate Server. Extended domain services documentation

Setting Up Specify to use a Shared Workstation as a Database Server

Authentication Methods

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

JAMF Software Server Installation Guide for Linux. Version 8.6

Deploying PostgreSQL in a Windows Enterprise

User Manual. (Updated April 08, 2016) Information in this document is subject to change without notice.

BusinessObjects 4.0 Windows AD Single Sign on Configuration

Install, Configure and Admin Guide

Quick Start Guide. Sendio System Protection Appliance. Sendio 5.0

Getting Started Guide

SharePoint AD Information Sync Installation Instruction

F-Secure Messaging Security Gateway. Deployment Guide

INTRODUCING SAMBA 4 NOW, EVEN MORE AWESOMENESS

Transcription:

Ubuntu Linux Server & Client and OpenLDAP/Kerberos 1 Configuration The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an OpenLDAP/Kerberos server: 1. On the OpenLDAP/Kerberos server, ensure that your installed schema includes the following object types: inetorgperson (RFC 2798) organization (RFC 2256) krbprincipalaux (provided by the Ubuntu krb5-kdc-ldap package) 2. On the OpenLDAP/Kerberos server, ensure that your user accounts exist as inetorgperson objects, and that each account is also marked with the krbprincipalaux auxiliary object type. Ensure that each user account has the following attribute values: cn -- the user account's display name (for example, "John Smith"). krbprincipalname -- the user account's Kerberos principal name (for example, "john.smith@realm"). entryuuid -- the unique identifier for the user account, managed by the slapd daemon 3. On the OpenLDAP/Kerberos server, ensure that your user groups exist as organization objects and that each group has the following attribute values: o -- the group's display name (for example, "Marketing") entryuuid -- the unique identifier for the group, managed by the slapd daemon 4. On the OpenLDAP/Kerberos server, ensure that your user accounts are associated with groups via an "o" attribute for each group. Each inetorgperson object can have as many associated "o" attribute values as desired. The attribute value should resemble "o=engineers", for example, instead of "o=engineers,dc=exacq,dc=test,dc=com." If installing an exacqvision server, complete steps 5 through 10. Otherwise, skip to step 11. 5. On the exacqvision server or client computer, configure your DNS domain name. Configure the hostname file with your fully qualified host name, as in the following example: /etc/hostname evserver.exacq.test.com. 6. Edit your hosts file with your fully qualified host name preceding localhost, as in the following example: 7. Restart the system. /etc/hosts 127.0.0.1 evserver.exacq.test.com localhost 8. Open a terminal window and confirm the fully qualified host name using the following command: dnsdomainname --fqdn Europe/Middle East/Asia Page 1 of 5

9. If installing an exacqvision server, add a service principal name on the OpenLDAP/Kerberos server for the exacqvision server. To do this, open a terminal window on the OpenLDAP/Kerberos server and execute the following command (using your information where appropriate): sudo kadmin.local ank e rc4-hmac:normal EDVR/evserver.exacq.test.com ktadd k./ev.keytab EDVR/evserver.exacq.test.com quit NOTE: All text after the forward slash should be lower case, and EDVR must be upper case. 10. Copy the keytab file to a location from where it can be installed on the Linux exacqvision Server later in this procedure. The following steps apply to all situations. 11. Note the fully qualified host name (hostname.primary-dns-suffix) and IP address of the exacqvision server computer that you will connect to, the OpenLDAP/Kerberos domain, and the fully qualified host name and IP address of the OpenLDAP/Kerberos server. For example: evserver.exacq.test.com 192.168.1.16 EXACQ.TEST.COM kdc.exacq.test.com 192.168.1.70 12. If necessary, install Kerberos. It is recommended that you use MIT Kerberos V5, also known as KRB5. Installing krb5-user also installs krb5-config, which is valid for all Ubuntu variations. To install KRB5 (or to verify that it is already installed), go to the Start menu and select System, Administrator, and Symptic Package Manager. Click Reload. Search for krb5-user; if it is not already checked, install it. NOTE: If you purchased the system from Exacq after 2009, MIT Kerberos V5 is likely already installed. 13. Make sure the fully qualified host names of the OpenLDAP/Kerberos server and exacqvision server can be resolved. To do this, open a terminal window, ping the fully qualified host names, and look for a reply. Make sure the IP addresses match the IP addresses of the servers as noted in the previous step. NOTE: If the fully qualified host names cannot be resolved for either server, configure your hosts file with the fully qualified host names, as in the following example: /etc/hosts 192.168.1.16 evserver.exacq.test.com 192.168.1.70 kdc.exacq.test.com Alternatively, you can add the OpenLDAP/Kerberos server to the DNS Server list. To do this, go to the Start menu and select System, Administrators, and Network. Europe/Middle East/Asia Page 2 of 5

14. Configure the /etc/krb5.conf file. To do this, add a stanza for your OpenLDAP/Kerberos domain and make the OpenLDAP/Kerberos domain the default realm. For example: [libdefaults]... default_realm = EXACQ.TEST.COM [realms] EXACQ.TEST.COM = { kdc = kdc.exacq.test.com admin_server = kdc.exacq.test.com } NOTE: Using fully qualified host names instead of IP addresses is recommended because IP addresses can be subject to change. Also, be sure you enter the OpenLDAP/Kerberos domain name in upper case, as shown in the example. 15. Make sure the Kerberos configuration works correctly. Use the kinit command to obtain a ticket for your Kerberos login, and then verify it using klist. To release the ticket, use kdestroy. 16. If desired, download and install the exacqvision Client software on the exacqvision client computer from. You must be logged in with root privileges to do this. If installing an exacqvision server, complete the following steps. Otherwise, skip to Connecting to exacqvision Servers. 17. Copy the keytab file that you created earlier to the Linux exacqvision server and install it to /etc/krb5.keytab. If you do not already have a keytab file on the exacqvision server, which could happen if you do not use any other Kerberos-related software on the server, copy the file to /etc/krb5.keytab. If you already have a keytab file on the exacqvision server, you can merge the new keytab into the existing keytab as follows: sudo ktutil rkt /etc/krb5.keytab rkt ev.keytab wkt /etc/krb5.keytab quit 18. Open a terminal window and run sudo klist k to verify the service principal name, which should look similar to the following example: EDVR/evserver.exacq.test.com@EXACQ.TEST.COM 19. On the exacqvision server computer, download and install the exacqvision software from. You must be logged in with root privileges to do this. The software automatically starts after the installation is complete. Europe/Middle East/Asia Page 3 of 5

20. If installing an exacqvision server, license the exacqvision server as an Enterprise system. To do this, complete the following steps: A. Install the exacqvision Client software on the server if it is not already installed. B. Run the exacqvision Client and connect to the local server (127.0.0.1) using the default admin account. C. Open the System Setup page for the exacqvision server you want to license and select the System tab. D. Enter the valid Enterprise license as generated by exacq Technologies and click Apply in the License section. 21. If installing an exacqvision server, configure the directory settings. To do this, complete the following steps: A. In the exacqvision Client software, select the ActiveDirectory/LDAP tab on the System Setup page. B. Select the Enable Directory Service checkbox C. Select OpenLDAP/Kerberos in the LDAP Schema drop-down list. D. Enter the OpenLDAP/Kerberos server s IP address in the Hostname/IP Address field. E. Select the SSL checkbox if you want LDAP operations to use secure SSL. If so, see the Configuring SSL on an exacqvision Server document. NOTE: On Ubuntu Linux systems purchased from Exacq before April 2010, you must use Synaptic Package Manager to download packages that are required for SSL support. To do this, the exacqvision Server must be able to connect to the Internet. F. Verify the OpenLDAP/Kerberos server s connection port. Unless you have reconfigured your OpenLDAP/Kerberos server, the port should be 636 when using SSL, or 389 without SSL. G. Enter the LDAP Base DN, the container of all directory user accounts or groups that you want to map in the exacqvision software. For example, if the domain were exacq.test.com, the LDAP Base DN might be: CN=Users, DC=exacq, DC=test, DC=com NOTE: Check with the system administrator for the correct LDAP Base DN for your situation. H. Enter the LDAP Binding DN, the fully qualified distinguished name (DN) of a directory user who has access to view the records of the directory user accounts. It is recommended that you enter the Administrator user account as the LDAP Binding DN. For example, if the domain were exacq.test.com, the LDAP Binding DN of the Administrator account would be: CN=Administrator, CN=Users, DC=exacq, DC=test, DC=com I. Enter the password for the account entered in the previous step. J. To prevent any non-directory users that have previously been created from connecting to the exacqvision server (optional), deselect Enable Local User Accounts. K. Click Apply to connect. An indicator on the ActiveDirectory/LDAP tab displays the success or failure of the connection attempt. Europe/Middle East/Asia Page 4 of 5

2 Connecting to exacqvision Servers You can connect to your Enterprise exacqvision servers from the Linux exacqvision Client software in any of the following ways: You can use a local exacqvision username and password. If you have already executed the kinit command to log in to the domain, you can use your system login without entering a username or password. In this case, leave the username and password fields empty on the Add Systems page, select Use Single Sign-On, and click Apply. If using the Linux version of the exacqvision Client, you can use any domain user account. Use the kinit command to log in to the domain. Enter the account name in user@realm format as the username (for example, "test.user@exacq.test.com"). You do not need to enter a password in the exacqvision Client. The realm must be in upper case, as shown in the example. Do NOT select Use Single Sign-On with this login method. NOTE: If you attempt to connect to an exacqvision server using your system login without first executing kinit, the connection will fail. 3 Adding exacqvision Users from the OpenLDAP/Kerberos Database When the exacqvision server is appropriately configured and connected to your OpenLDAP/Kerberos server, the Users page and the Enterprise User Setup page each contain a Query LDAP button that allows you to search for users or user groups configured in OpenLDAP/Kerberos. You can manage their exacqvision server permissions and privileges using the exacqvision Client the same way you would for a local user. On the System Information page, the Username column lists any connected OpenLDAP/Kerberos users along with their OpenLDAP/Kerberos origin (whether each user was mapped as an individual or part of a user group) in parentheses. Europe/Middle East/Asia Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information