This chapter describes how EDQ can be integrated with external user management systems based on the LDAP standard, thus allowing Administrators to manage user accounts externally to EDQ.
This chapter includes the following sections:
EDQ can be integrated with LDAP servers in two ways:
Using Oracle Platform Security Services (OPSS), configured on Oracle WebLogic Server
Directly, using connection settings configured in EDQ configuration files
Once EDQ is integrated with LDAP, external user management works in a consistent way. You map groups of users that exist on the LDAP system ("External Groups") to EDQ groups by using the Administration pages on the EDQ Launchpad. With these mappings, you grant users in the external groups permissions to the EDQ server.
Currently, EDQ is certified for integration with the following LDAP server technologies:
Oracle Internet Directory (OID) 11g.
Microsoft Active Directory (AD) for Windows Server 2000, 2003 and 2008.
Open LDAP 2.4.
Novell eDirectory 8.8.
In integrations with Active Directory, EDQ supports Single Sign-On (SSO). Authorized users of the AD domain can access EDQ without the need to log in to the EDQ client applications.
In a default installation of EDQ on WebLogic Server, EDQ is integrated with Oracle Platform Security Services (OPSS) by default. EDQ users are managed by an OPSS identity store that is configured in WebLogic Server.
The integration is controlled by a property in the login.properties file. This file is installed in the security directory of the base configuration directory (oedq_home/security).
A setting in login.properties specifies the default mapping of the LDAP administrators group to the EDQ administrators group. The default mapping ensures that a WebLogic Server Administrator can access the Administration application on the EDQ Launchpad to map other external groups on LDAP to the appropriate internal groups.
Provided the WebLogic Server identity store or a configured LDAP server has a group with the name of Administrators, there is no need to adjust any of the settings in login.properties. If the LDAP server does not contain a group with the name of Administrators, you can do either of the following:
Create a group named Administrators on the LDAP server, and then restart the server that manages EDQ in WebLogic Server.
Modify the default administrators group mapping. See "To adjust the default Administrators group mapping" for instructions.
To adjust the default Administrators group mapping
This procedure creates a local login.properties file to override the base login.properties file, and then adjusts the default Administrators group mapping in the new file.
Create a subdirectory called security in the local configuration directory (oedq_local_home/security).
Copy the login.properties file from the security directory of the base configuration directory (oedq_home/security) to oedq_local_home/security.
Look for the following default mapping:
opss.xgmap = Administrators -> Administrators
Note:
If the name of the EDQ administrators group was changed to something other thanAdministrators, the entry will appear similar to the following:
opss.xgmap = Administrators -> name_of_EDQ_admin_group
Change the default mapping to map the name of the external administrators group to the name of the EDQ administrators group.
opss.xgmap = name_of_external_group -> name_of_EDQ_admin_group
Note:
The property accepts a delimited list of mappings. For example, the following syntax is valid for mapping the "DQ Admins" and "DQAdministrators" external groups to the EDQ "Administrators" group:opss.xgmap = group1 -> Administrators, group2 -> mygroup
Save the file.
Restart the application server.
On an Apache Tomcat server, EDQ provides direct integration with LDAP servers, but it is not enabled by default. To enable the integration, you use a template to create and configure a login.properties file in the local configuration directory. The settings in this file override those in the login.properties file in the base configuration directory.
To configure direct integration with an LDAP server
Navigate to the security directory in the EDQ local configuration directory (oedq_local_home/security).
Open the login.properties.template file with a text editor. This template contains sample settings that correspond to the different supported LDAP providers.
Uncomment and edit the parameters that correspond with the LDAP server in the EDQ installation environment. The profile associated with an LDAP configuration provides information about the schema in the LDAP server that represents users and groups. EDQ provides the following built-in profiles:
adsldap: Microsoft Active Directory
inetorgoidldap: Oracle Internet Directory (OID)
inetorgopenldap: OpenLDAP using inetOrgPerson style schemas
Save the file as login.properties in the same directory.
Restart the application server.
Note:
Properties of these built-in profiles can be overridden where required by using options specified in the following format:ldap.profile.propertyname.Other schemas can be supported by creating new profiles or extending existing profiles.
EDQ supports integration with multiple realms. Each realm can use different LDAP server technologies. For example, a single EDQ server may support external authentication from both a Microsoft Active Directory (AD) realm and an Oracle Internet Directory (OID) realm, if required. This section describes the login.properties properties that are normally set globally (for all realms).
Where noted, you can override the global settings at the realm level. Realm-level settings are more specific and always override global settings. (See Section 2.5, "Configuring Realm Settings."
Table 2-1 Global LDAP Settings
| Property | Description | Example Value | Mandatory? |
|---|---|---|---|
|
|
A comma-separated list of realm names, representing active realm configurations. The specified name of each realm must correspond with the realm-specific properties later in the file, in the format A realm configuration may be retained but disabled by removing it from this list. |
|
Yes. |
|
|
The path to a Kerberos keytab file. A single keytab must be defined at the global level. A single keytab can contain entries for several realms. |
If a specific path is not specified, the Operating System default path is used. |
No. Only necessary to enable SSO (where users do not need to log in to EDQ user applications) in environments where the EDQ server is not itself on the AD domain. |
|
|
If set to If set to May be overridden at the realm level. |
|
No. If not set, the default value is |
|
|
Specifies the Kerberos Service Principal Name, used for SSO. May be overridden at realm level. |
|
No. If not set, the default value is |
|
|
Enables the use of x509 certificates (client SSL certificates) for client authentication in EDQ. There is a small performance cost associated with setting this to May be overridden at realm level. |
|
No If not set, the default is |
|
l |
Defines whether or not to use the primary group (for example the "Domain Users" group in AD). May be overridden at realm level |
|
No. This should be set to |
This section provides details of the properties that are normally set at the realm level. Realm settings may be specified with either of the following methods:
In the login.properties file by using the syntax realm_name.property_name = value. This format enables you to specify settings for different realms within a single file, each set of properties having a different realm_name prefix.
In a file named realm_name.properties in a realms subdirectory of the security directory. This method requires a separate realm_name.properties file for each realm that you want to configure. The realm_name prefix is not needed for properties in the realm_name.properties file.
In a similar manner, profile settings and overrides can be specified in the login.properties file by using the syntax profile_name.property_name = value or, alternatively, in separate files named profile_name.properties in the security/profiles folder.
| Property | Description | Example Value | Mandatory? |
|---|---|---|---|
|
|
The LDAP (AD or Kerberos) domain name. |
|
Yes |
|
|
Specifies the LDAP profile name used to configure parameters using shipped built-in settings. |
|
Yes |
|
|
Specifies the user authentication method, if SSO is not used. Possible values are |
|
Yes |
|
|
If the |
|
No. |
|
|
Specifies an alternative user-friendly label for the realm to display in the dialog when logging into user applications. |
myrealm |
No. If not used, the |
|
|
Specifies whether or not the realm supports Kerberos/GSSAPI for SSO. Possible values are |
|
No. If not set, defaults to |
|
|
A comma or space separated list of LDAP servers (either names or IP addresses). Each server listed can include a specific port using the syntax |
|
No. If not specified, a DNS lookup is used to look for LDAP servers |
|
|
Base of LDAP hierarchy. |
|
No. In many servers (including AD, this can be found from the RootDSE (the Root Directory Service Entry). |
|
|
Sets the security mode for LDAP connection. Possible values are |
|
No
|
|
|
Sets the authentication mode for LDAP connection. Possible values are |
|
No If not specified, this defaults to |
|
|
The LDAP username used to authenticate EDQ with the LDAP server. This property must be set if |
|
Yes, if authentication mode is No, if the mode is |
|
|
The password associated with the LDAP username. |
|
Yes, if authentication mode is No, otherwise |
|
|
Specifies how the EDQ server connects to the LDAP server. If set, this parameter overrides the |
|
No. If not set, the default value is the one specified at the Global level. |
|
|
Name of the default group that contains all EDQ users, used for display of users in issue, alert, and case assignment lists. |
|
Recommended If not set, this defaults to |
|
|
Additional filter for groups; an LDAP search filter. |
This will include all groups with a name beginning with |
Recommended If not set, no filter is used and all groups will be displayed on the External Groups configuration page. |
In installations where Single Sign-On (SSO) is not used and the auth realm property is set to ldap, it is necessary to set the auth.method realm property to specify how user credentials are validated. The possible values for this property are as follows. They are described in the following sections.
This setting directs the EDQ server to connect to the LDAP server to verify the user credentials. This is the default setting.
Where the bind method is used, set the following additional properties:
auth.binddn: Specifies the actual user name that is used in the connection attempt. If omitted, a value in the form username@realmname is submitted. Otherwise, the value should be in the form search: dn, which uses the distinguished name (DN) of the user for the login.
auth.bindmethod: Specifies the authentication method that is used to connect to the LDAP server. The possible values are simple or digest-md5. The digest-md5 value encrypts the password on the network and is the recommended setting.
Note:
Ifauth.bindmethod is set to digest-md5 for an EDQ installation that is integrated with Active Directory, the auth.binddn property must be set to search: sAMAccountName.This setting directs the EDQ server to look up the user record on the LDAP server and then compare the submitted password to the stored password.
Note:
This method cannot be used with Active Directory servers.The LDAP attribute that stores the password must be specified with the following property:
auth.password = search: attr
where: attr is the LDAP attribute.
This setting uses the LDAP compare method to validate the password. This method is more secure than auth.method = bind because a session is not created in the LDAP server.
The LDAP attribute that stores the password is specified with the auth.attribute property, which has a default value of userPassword. This default is the correct value for Oracle Internet Directory LDAP integrations.
By default, data transmitted over LDAP is unencrypted. Either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) can be used to provide encryption.
LDAP over SSL (LDAPS) employs a properly formatted certificate. If used, the server certificate must define a valid host name and must be trusted by the Java Runtime Environment (JRE) that is running EDQ.
TLS uses the Start TLS LDAP extension. In TLS implementations, "relaxed checks" are performed on the LDAP server certificate, meaning that the LDAP server does not need to be trusted by the JRE that is running EDQ.
This section provides the following example configurations for the following LDAP technologies:
Section 2.8.1, "Example of Oracle Internet Directory LDAP Configuration"
Section 2.8.2, "Example of Microsoft Active Directory LDAP Configuration"
Section 2.8.4, "Example of Novell eDirectory LDAP Configuration"
Note:
The settings shown in these examples are included in thelogin.properties.template file with an additional # character at the beginning of each line. Remove this character to uncomment each property to make it active.This section describes typical login.properties settings required to integrate EDQ with an Oracle Internet Directory LDAP server.
In this example, the LDAP user and password are transmitted in the clear (unencrypted) over the network. Oracle recommends the use of SSL (example3.ldap.security = ssl) or TLS (example3.ldap.security.tls) to encrypt LDAP traffic.
# Oracle Internet Directory Example realms = example3 # Map the realm to a domain name example3.realm = EXAMPLE3.COM # Disable GSS example3.gss = false # Authorize user by using LDAP bind to server example3.auth = ldap # Use distinguished name for authentication example3.auth.binddn = search: dn # The LDAP server example3.ldap.server = server3 example3.ldap.auth = simple # The OID user credentials to be used by EDQ ([email protected]) example3.ldap.user = cn=intuser,cn=users,dc=example3,dc=com example3.ldap.pw = password # The base distinguished name is example3.com example3.ldap.basedn = dc=example3,dc=com # Use InetOrgPerson Style LDAP schema example3.ldap.profile = inetorgoidldap # The name of the user group containing all EDQ users example3.ldap.prof.defaultusergroup = group3 example3.ldap.security = ssl
This section describes typical login.properties settings required to integrate EDQ with a Microsoft Active Directory LDAP server.
In an AD environment, EDQ can be configured to permit SSO by users in the same domain. This example does not configure SSO, because it does not include the clientcreds=true property and setting.
# Active Directory Example realms = example1 # Map the realm to a domain name example1.realm = EXAMPLE1.COM # Authorize user by using LDAP bind to server; # for Active Directory it must be ldap example1.auth = ldap # The authentication to use, in this case digest-md5 using # the plain account name (example1.auth.binddn). example1.auth.bindmethod = digest-md5 example1.auth.binddn = search: sAMAccountName # Use Transport Layer Security. Requires a X.509 certificate to be # installed on the domain controller. example1.ldap.security = tls # The LDAP Schema to use. For Active Directory adsldap is the # standard schema to use example1.ldap.profile = adsldap # The name of the user group containing all EDQ users. example1.ldap.prof.defaultusergroup = group1
This section describes typical login.properties settings required to integrate EDQ with an Open LDAP server.
The path to the keytab (specified by the example2.keytab property in the example) can either be an absolute path or simply the file name. If the file name is provided, the system assumes the file is found in the security directory in the base configuration directory (oedq_home/security).
If the inetOrgPerson schema is used, the example2.ldap.profile property in the example should be set to inetorgopenldap.
# OpenLDAP Example realms = example 2 # Map the realm to a domain name example2.realm = EXAMPLE2.COM # Do not use local machine credentials to connect to the LDAP server example2.clientcreds = false # Specify the Service Principal Name to use example2.spn = host/[email protected] # The keytab where the SPN can be found. example2.keytab = kerberos.ktab # Authorize user by using LDAP bind to server example2.auth = ldap # Use simple authentication, using the distinguished name example2.auth.bindmethod = simple example2.auth.binddn = search: dn # Specify the LDAP server example2.ldap.server = ldapserver.example2.com # Specify the base distinguished name. example2.ldap.basedn = dc=example2,dc=com # Use the LDAP schema based on RFC2307, user are assumed to have # the posixAccount object class example2.ldap.profile = rfc2307ldap # Use Transport Layer Security example2.ldap.security = tls # The name of the user group containing all EDQ users example2.ldap.prof.defaultusergroup = group2
This section describes typical login.properties settings required to integrate EDQ with a Novell eDirectory LDAP server and what to do if a novell.properties file is required.
Section 2.8.4.1, "Example Settings for login.properties"
Section 2.8.4.2, "Creating a novell.properties File"
The following are typical settings for integrating EDQ with Novell eDirectory.
# Novell eDirectory Example # Map the realm to a domain name example4.realm = EXAMPLE4.COM # The base distinguished name is example4.com example4.ldap.basedn = o=example4 # Authorize user by using LDAP bind to server example4.auth = ldap # Use distinguished name for authentication example4.auth.binddn = search: dn # The LDAP server example4.ldap.server = server4 example4.ldap.auth = simple # Use Novell Style LDAP schema example4.ldap.profile = novell # The name of the user group containing all EDQ users example4.ldap.prof.defaultusergroup = group4 # Use Transport Layer Security example4.ldap.security = tls # The eDirectory user credentials to be used by EDQ example4.ldap.user = cn=intuser,ou=users,o=example4 example4.ldap.pw = password
The EDQ installation does not come with a preconfigured profile for integrating with Novell eDirectory LDAP. If required, a novell.properties file must be created and saved in the security/profiles directory in the local configuration directory (oedq_local_home). The following is an example of this file.
# Simple LDAP profile for the Novell eDirectory server
# ----------------------------------------------------
idmatch = (.*)@${realm:.*}
userattributes = uid givenName sn mail telephoneNumber
usersearch = (objectClass=inetOrgPerson)
userfilter = +(uid={1})
userkey = GUID
userfind = +(GUID={0})
username = uid
# group lookup
groupsearch = (&(objectClass=groupOfNames)(cn=*))
groupkey = GUID
groupfind = +(GUID={0})
groupnamefind = +(cn={0})
# secondary user/group relationships
memberattr = member
membertarget = dn
# certificate support
certuserfilter = +(userCertificate={der})
# vcard
vcard.fn = fullName cn
vcard.org = o
vcard.tel.work = telephoneNumber
vcard.email.pref = mail
# support attributes
binaryattrs = GUID
You can customize the message that is presented to users if their password expires or is about to expire. By default, a standard dialog is displayed. This feature is available for users of Active Directory and any other LDAP server that supports the standard LDAP password policy response control.
To customize the message, you add variables to the login.properties file in the security directory of the local configuration directory (oedq_local_home/security).
The following variables can be used in the password messages:
{0} - The standard pre-configured Password Expired message.
{1} - The name of the user.
{2} - The number of days left before the password expires.
The realm name for each value is also displayed using the standard global realms property. The displayed realm name may be overridden using the realm_name.label property.
Do either of the following to configure the Password Expired message.
To use the standard Password Expired message, enter the following value in the login.properties file:
realm_name.extra.pwexpired.message = {0}
To enter a custom Password Expired message, with a link to a specific URL for changing the password, use the following code in the login.properties file. The message text, formatting and URL in this code are included as examples for you to edit as required. The HTML formatting is optional.
realm name.extra.pwexpired.message = <html><font size="+1">Dear <em>{1}</em><p>Your password has expired. Click <a href="[URL]">here</a> to set a new password.</p></font></html>
Use the following property in the login.properties file to create a custom Password Expiring message. Substitute the correct realm name and message text. The HTML formatting is optional.
realm_name.extra.pwexpiring.message = <html><font size="+1">Dear <em>{1}</em><p>Your password will expire {2,choice,0#today|1#tomorrow|1<in {2} days}.<p>Click <a href="[URL]">here</a> to manage your password settings.</p></font></html>
If you do not set a Password Expiring message, users will see the normal login screen if their password is about to expire.
By default, EDQ inherits the password expiry time from the LDAP server. By default, the number of days before the expiry time that users see the Password Expiring message is set to seven days. If required, you can set a custom expiry time and warning threshold in the login.properties file to override the settings in the LDAP server.
To set a custom password expiry time, add the following value to the login.properties file:
realm_name.ldap.prof.passwordhandler.passwordage = Number_of_days/hours/seconds
To set a custom warning threshold, add the following value:
realm_name.ldap.prof.passwordhandler.passwordwarning = Number_of_days/hours/seconds
For each value, you can specify a number of days, hours or seconds. For example:
For 30 days set the value to 30 or 30d.
For 240 hours enter 240h.
For 3000 seconds enter 3000s.
Parent and child domains in Active Directory can be defined in the login.properties file by defining separate realms for each domain. However, if these domains have full trust relationships, it is possible to define only the parent domain as a realm, as shown in the following examples.
The following example assumes there is a parent domain EXAMPLE.COM and a child domain CHILD.EXAMPLE.COM. It provides example settings that illustrate how to configure login.properties for parent and child domains with only the parent domain configured as a realm. An explanation of this example follows the code segment.
# Global settings
clientcreds = true
realms = internal, parent
ldap.prof.useprimarygroup = false
# Realm settings
# Update match pattern to allow child domain components
child.ldap.prof.idmatch = (?i)(.*)@(?:.*\\.)?${realm:.*}
parent.realm = EXAMPLE.COM
parent.auth = ldap
parent.auth.bindmethod = simple
parent.auth.binddn = search: dn
parent.ldap.security = tls
parent.ldap.profile = adsldap
parent.ldap.prof.defaultusergroup = edqusers
parent.ldap.referral = follow
The settings for the parent domain are mostly the same as for a single AD domain. The significant differences are the following entries in the code.
This property and its follow setting enable LDAP referrals. In a referral, when a search completes on the parent domain, it issues a referral reply that causes the search to continue in the child domain(s). For example, a single search can return all the groups in the parent and child domains.
This setting uses the idmatch property to select the realm based on the identity of a user. After a Kerberos/SSO handshake, the server obtains the identity of the client from the handshake and then determines which realm is associated with the user. The property is a regular expression, where ${realm_name:.*} is replaced with the realm_name from login.properties. The default value for single-domain AD is:
(?i)(.*)@${realm_name:.*}
In this case, the value expands to:
(?i)(.*)@EXAMPLE.COM
The value will match any user in the domain, such as [email protected]. The updated version adds the optional child domain component and would also match names like [email protected].
A username and password are authenticated against AD by attempting a bind as that user. With parent and child domains, a user from the child domain can connect to the parent domain controller. However, the common DIGEST-MD5 bind method does not work across domains, so set the bind method to simple and specify that the bind user name is the Distinguished Name (DN) of the user. For example:
CN=John Doe,OU=testusers,DC=parent,DC=com or CN=Jane Doe,OU=localusers,DC=child,DC=parent,DC=com
The default user group is used to find all the users who may need to use the EDQ applications. Users in this group appear in issue and case assignment lists, among other places in the EDQ user interface. The default group can be in either domain but must have Universal Scope, allowing it to contain members from both domains.
Groups that are used to assign EDQ permissions can be created as Universal and contain members from both domains, or they can be created as Global in each domain and contain users from the same domain.
The list shown on the Administration > External Groups configuration page contains groups from both domains. If no filter was set up, the page displays two of each of the standard groups (two Domain Users, two Backup Operators, and so forth). If you create EDQ-related groups in both domains, give them different names in each domain so that you can distinguish them in the list.
When only the parent domain is configured as a specific realm, EDQ treats both parent and child domains as a single realm. In EDQ the identity of a user is user@REALM. Given an identity of [email protected], for example, users from both domains will appear with @EXAMPLE.COM in assignment lists and in the user lists from the System Information Data Store.
The format of the display name of the user is configurable. You can set it to the userPrincipalName attribute of each user, for example, by using the following line:
parent.ldap.prof.userdisplayname = userPrincipalName
When EDQ is installed on a UNIX (Solaris, Linux, AIX, or HP-UX) server, you can configure it to use AD for user authentication by making LDAP connections to the AD server and performing user lookups.
In a basic configuration, the connection to AD is made with a user name and password configured in login.properties. The connection can be protected using SSL or TLS if necessary. SSO, in which the user logs into Windows and then does not need to log again into EDQ, is not available in this configuration since the EDQ server is not on the AD domain.
To enable SSO, the EDQ server must be set up to enable Kerberos authentication from the client PC. This authentication is achieved using the standard GSSAPI token exchange mechanism (RFC 4121) as follows:
The client contacts the Domain Controller (DC) to request access to a service provided by the server application.
The response from the DC is encoded into a token sent to the server by the client.
The server validates this token and generates another token to send to the client.
The token exchange can continue until client and server have established a secure context.
In practice, this exchange never requires more than one token in either direction.
At startup the server application sets up accept credentials, which it uses to initialize its half of the security context. When the server is running as the local system account on Windows, these credentials are obtained from the account's login context.
If the server is running on UNIX, it must use an account in AD to set up these credentials. It validates the request using the encrypted account password read from a Kerberos key table (keytab). Setting up a valid keytab is an essential step in configuring SSO on UNIX.
For more information on Kerberos Shared Libraries, see the "Security Tips" chapter.
A Kerberos key table, or keytab, contains encrypted passwords for one or more Kerberos principals. The DC normally supports a number of different encryption algorithms (DES3, AES, RC4 etc) and the entry for a principal will include keys for each of these algorithms. The client will pick the best algorithm available for communication with the DC.
The service requested using GSSAPI is identified by a Service Principal Name (SPN). Normally this will be a reference to a particular service type at a machine hostname. Examples of service types are HOST (for general access, such as SSH), HTTP (for SSO from browsers) and LDAP (for LDAP servers such as AD domain controllers). An SPN is usually displayed in the format service/hostname; for example:
HOST/testserver.example.com
Each entry in a keytab also includes a Key Version Number (KVNO). This is incremented whenever the password for the principal is changed in the DC. The keytab must contain the correct KVNO for authentication to succeed.
On most UNIX systems, the default location of the system keytab is:
/etc/krb5.keytab
In the EDQ login.properties configuration file, the location of the keytab may be set by the following property:
keytab = Path to keytab
If the path is not absolute, it is relative to the security folder containing login.properties.
The klist command can be used to list the contents of a keytab:
klist -k [file]
klist -ke [file]
klist -keK [file]
A file name can be provided if the keytab is not in the default location. The first form only lists the principals; the second also includes the encryption algorithms, and the third also includes the key values in hexadecimal.
Following is sample output using klist:
Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -------------------------------------------------------------------------- 2 host/[email protected] (DES cbc mode with CRC-32) 2 host/[email protected] (DES cbc mode with RSA-MD5) 2 host/[email protected] (ArcFour with HMAC/md5) 2 host/[email protected] (DES cbc mode with CRC-32) 2 host/[email protected] (DES cbc mode with RSA-MD5) 2 host/[email protected] (ArcFour with HMAC/md5) 2 [email protected] (DES cbc mode with CRC-32) 2 [email protected] (DES cbc mode with RSA-MD5) 2 [email protected] (ArcFour with HMAC/md5) 2 HTTP/[email protected] (DES cbc mode with CRC-32) 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) 2 HTTP/[email protected] (ArcFour with HMAC/md5) 2 HTTP/[email protected] (DES cbc mode with CRC-32) 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) 2 HTTP/[email protected] (ArcFour with HMAC/md5)
GSSAPI requires that an SPN has a service component (before the /), though there is no requirement that the rest is a valid host name or that the service is meaningful. An SPN in the following form is equally valid:
hello/alpha.beta
In a normal Kerberos system using a standard Kerberos Domain Controller (KDC) each SPN is a separate principal with a different password. In AD, SPNs are essentially aliases of a single account, stored as values of the AD servicePrincipalName LDAP attribute. When a computer account is created in AD, SPNs for the HOST service are created automatically. If additional services such as IIS or SQLserver are installed on the server, additional SPNs will be added to the account.
The Windows setspn command can be run on an AD server to manage the SPNs for an account. For example:
setspn -A HTTP/testserver.example.com testserver$
setspn -A hello/alpha.beta alpha.beta
The first command adds an HTTP SPN to the machine account for testserver; the second adds an SPN to a normal user account.
The Apache Directory Studio LDAP browser can be used to check on the SPNs associated with an account. If a connection to AD can be made with administrator privileges, it can also be used to add servicePrincipalName values. For more information, see Section 2.11.4.2, "Apache Directory Studio."
In a normal Kerberos system, keytab entries are created using the ktadd subcommand of the Kerberos administration tool, kadmin. AD does not provide a Kerberos administration server so other approaches are required.
The keytab contains the encrypted password for the account so for each method either the password for the account must be known in advance, or it must be run with privileges to change the account password.
The method to use depends on the system configuration. Existing options include:
Samba: If the system has been registered with AD using the Samba suite, the net ads keytab command can be used to create and update the keytab. This works because Samba has set the password for the account and stored it in a secret location.
ktpass: The Windows ktpass command can run by an AD administrator to generate keytab entries. Unless there is no other alternative, do not use this command. It is complex and very difficult to use reliably. It will update the password of the account, thus rendering any previous keytab useless.
msktutil: This is an open source application for UNIX which can be used to manage keytabs.
The Kerberos configuration (as used by commands such as kinit and the JRE) is read from a global configuration file, normally stored in the /etc/krb5.conf directory. This contains references to the Domain Controllers and mappings between DNS and Kerberos domains.
This is a simple example of such a configuration file for the domain EXAMPLE.COM:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm =false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = adsrvr01.example.com:88
kdc = adsrvr02.example.com:88
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
The [realms] section lists the KDCs by host or IP for each domain; the [domain_realm] section maps DNS host names to Kerberos domains.
The krb5.conf file must be checked and adjusted for the configuration of the target domain. If it is not possible to update a file in /etc, the file can be stored elsewhere and a system property can be used to inform the JRE where it is. To do this, edit (or create, if it does not yet exist) the jvm.properties file in the EDQ configuration directory and add the line:
java.security.krb5.conf = absolute path to modified krb5.conf file
There are two tools that can be used to examine and update LDAP accounts: Oracle Directory Services Manager (ODSM) and Apache Directory Studio.
ODSM is bundled with OID. For further information on how to use this tool for managing LDAP accounts, refer to the OID server administrators.
The Apache Directory Studio LDAP browser is a useful tool for examining and updating LDAP accounts.
To create a new account, use the following procedure:
Launch the browser and close the Welcome window.
Select New Connection... in the LDAP menu to create a new connection.
Enter a name for the connection and the host name of an AD server.
If the server supports TLS, select Use StartTLS Extension under Encryption Method.
In the Authentication window, enter an AD user name (in the format user@DOMAIN or SHORTDOMAIN\user) and password. The AD directory tree is then visible in the LDAP browser area
If connected as an account with Administrator-level privileges, other AD accounts can be updated. For example, to add an SPN to a normal user account, follow these steps:
Locate the user in the directory tree and click to see the user's LDAP attributes. Perform a search to find the user if there are a large number of objects.
Right-click the Attributes window and select New Attribute....
Select servicePrincipalName as the Attribute type and click Finish.
The new attribute will appear in the list. Enter the required SPN as the value and press Enter.
Note:
If this is attempted using an account that does not have Administrator privileges, it will fail at the final step when changes are committed to AD. Therefore, it is possible to practice this procedure using a normal user account without making changes.For a EDQ server configured for SSO integration with AD, a typical basic configuration of login.properties is as follows:
clientcreds = false keytab = /etc/krb5.keytab realms = internal, ad ldap.prof.useprimarygroup = false # Realm details ad.realm = DOMAIN ad.auth = ldap ad.auth.bindmethod = digest-md5 ad.auth.binddn = search: sAMAccountName ad.ldap.security = tls ad.ldap.profile = adsldap ad.ldap.auth = simple ad.ldap.user = user@DOMAIN ad.ldap.pw = password ad.ldap.prof.defaultusergroup = groupname
If the SPN used for SSO between client and server is not the default for the machine (HOST/machinename.domain@DOMAIN) then add a line like:
spn = hello/[email protected]
The SPN must be listed in the keytab.
If the keytab contains an entry for the internal machine or user account name (for example, without a service or prefix), then it is possible to use SASL and GSSAPI authentication between EDQ and the AD server. You would amend the realm details section in login.properties to:
# Realm details ad.realm = DOMAIN ad.auth = ldapad.auth.bindmethod = digest-md5 ad.auth.binddn = search: sAMAccountName ad.ldap.security = tls ad.ldap.profile = adsldap ad.ldap.spn = "accountname" ad.ldap.prof.defaultusergroup = groupname
The account name is machinename$ for a machine account or the login name for a user account.
If the keytab contains HTTP service entries for the machine, then it is also possible to use SSO for browser-based logins (administration application, dashboard, etc). To enable this, add the line:
http.gss = true
Typically, you this should set this only if all the client machines will be part of the domain. If SSO is not possible, the behavior of browsers varies. For example, Internet Explorer will show a login dialog in a pop-up window while Firefox will revert to the normal EDQ login pages.