Domain Authentication

If the developed web application prompts authentication in platform repository under the domain user, organizing of such scheme may require additional setting of both DBMS server and BI server installed on Linux. See below an example of domain authentication setting in Ubuntu. If Oracle DBMS is used, the specified settings are relevant for integrated domain authentication work.

NOTE. To enable domain authentication, make sure that the web application is based on Apache or Internet Information Services web server. The domain authentication based on Apache Tomcat cannot be set up when working in Linux.

DBMS Server

Domain authentication is available on deploying of server on an Oracle DBMS 11.x and later or PostgreSQL. On working with Oracle, a DBMS server must be prepared by using one of the following instructions:

On working with PostgreSQL, authentication must be set up using the GSSAPI method according to the DBMS documentation.

Setting Up BI Server of Foresight Analytics Platform

It is assumed that DBMS server and BI server are located at different physical servers.

Previously execute the following actions:

  1. Install BI server (on installing the required settings will be performed).

  2. Install and set up Oracle client.

Example of Oracle client installation and setup

Setting Up Kerberos Client

Install Kerberos protocol packages:

sudo apt-get install krb5-user krb5-config

Add domain information to /etc/krb5.conf, for example:

[libdefaults]

default_realm = DOMAIN.RU

[realms] DOMAIN.RU = {

kdc = hostname1.domain.ru

kdc = hostname2.domain.ru

}

[domain_realm]

.domain.ru = DOMAIN.RU

domain.ru = DOMAIN.RU

If "kinit: Generic preauthentication failure while getting initial credentials" error occurs, add the following to /etc/krb5.conf:

default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

Setting Up Oracle Client

Add the following strings to slqnet.ora:

SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)

SQLNET.KERBEROS5_CONF_MIT=TRUE

SQLNET.KERBEROS5_CONF=/etc/krb5.conf

Setting Up Apache

Along with the main Apache HTTP Server setup, which will be executed during BI server package installation, execute additional setup.

Setting up mod_auth_kerb module:

Install the mod_auth_kerb module to authenticate the user at server. The module can be found at: http://modauthkerb.sourceforge.net/.

In Ubuntu, the module is located in standard repositories, execute the following to install it:

sudo apt-get install libapache2-mod-auth-kerb

It is assumed that keytab file for HTTP service is located at /etc/apache2/http.keytab and has read permissions for www-data.

After installation and activation of the module, correct the settings file /etc/apache2/mods-enabled/auth_kerb.conf as follows (replace <server> with the server name where BI server of Foresight Analytics Platform is deployed):

# To enable or disable the use of the Negotiate method. You need a special support on the browser side to support this mechanism.

KrbMethodNegotiate on

# To enable or disable the use of password based authentication for Kerberos v5.

KrbMethodK5Passwd on

# If set to off this directive allow authentication controls to be pass on to another modules.

# Use only if you really know what you are doing.

KrbAuthoritative on

# This option takes one or more arguments (separated by spaces), specifying the Kerberos realm(s) to be used for authentication.

# This defaults to the default realm taken from the local Kerberos configuration.

KrbAuthRealms DOMAIN.RU

# This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing atacks.

# It should be used only for testing purposes. You have been warned.

#KrbVerifyKDC on

# For specification the service name that will be used by Apache for authentication.

# Corresponding key of this name must be stored in the keytab.

KrbServiceName HTTP/<server>.domain.ru@DOMAIN.RU

# This option takes one argument, specifying the location of the Kerberos V5 keytab file.

# It will use the "default keytab" from Kerberos V5's config if it is not specified here.

# The keytab file must be readable for the apache process, and should be different from other keytabs in the system.

Krb5Keytab /etc/apache2/http.keytab

# This option enables credential saving functionality.

KrbSaveCredentials on

# Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive.

KrbDelegateBasic off

# Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names.

KrbLocalUserMapping off

Add the following strings in the file /etc/apache2/sites-enabled/000-default.conf (the name may be without .conf):

ServerName <server>.domain.ru

<Directory />

Options FollowSymLinks

AllowOverride None

AuthType KerberosV5

Require valid-user

</Directory>

Setting up coworker mpm module:

Correct work via Kerberos on Apache requires the modified coworker mpm module instead of the worker module. This is required to isolate user authentication processes.

  1. Unpack the archive with the mpm module into /usr/lib/apache2.

  2. Generate a symbolic link /usr/sbin/apache2 to /usr/lib/apache2/mpm-coworker/apache2.

  3. Add the following settings into /etc/apache2/apache2.conf:

<IfModule mpm_coworker_module>

StartServers 2 # supposed number of simultaneously working users

MinSpareThreads 1

MaxSpareThreads 50

ThreadsPerChild 10

MaxRequestsPerChild 0

ExpireTimeout 3600 # timeout in seconds, upon the expiry of which the process can be reused by a new user

ChildPerUser On # enable user separation (disabled by default)

</IfModule>

Setting Up LDAP

Install the following packages to work with Active Directory:

sudo apt-get install libldap-2.4-2 libsasl2-modules-gssapi-mit

Then add information about Active Directory to the file /etc/ldap/ldap.conf:

BASE ou=group,dc=domain,dc=ru

URI ldap://hostname1.domain.ru ldap://hostname2.domain.ru

Active Directory work can be checked without Apache, to do this, initialize domain user credentials cache via kinit. Then run axis2_http_server under the same local user who was used to run kinit.

Repository settings (the Metabases.xml or registry.reg file) must have integrated domain authentication set: Authentication="2".

Setting Up Internet Information Services

Description of web application setup deployed at web server running on Windows OS is given in the Setting Up Domain/Integrated Domain Authentication on ASP.NET Web Server article. The relevant operations are PP.xml file setup (item 5), enabling delegation (item 7), and browser setup (item 8).

See also:

Advanced Settings