Administration and Access Control > Setting Up System Security Policy > Creating User Accounts and Working with Them > Connecting Domain User > Working with Directory Services
In this article:
When generating a repository security subsystem, users and groups are created in the security manager. If the user wants to log in to a repository using domain/integrated domain authentication, in the security manager add domain users or groups after setting up the settings.xml file.
Foresight Analytics Platform gets information about domain security subjects from the domain directory service or global directory that must be set up in the computer network. Interaction with the directory service is executed via the LDAP/LDAPS protocol.
If the directory service of the current domain (global directory of the current network) is based on Active Directory, and Foresight Analytics Platform works in Windows OS, advanced settings do not need to be determined to connect to this service.
If the directory service is located at Linux OS server, or it is required to connect to the directory service in the network other than the current one (Linux or Windows OS server), execute the following operations depending on the operating system in use:
Install necessary packages depending on Linux OS version:
Debian-based distributions:
sudo apt install libldap-2.4-2 libsasl2-modules-gssapi-mit
RedHat-based distributions:
sudo yum install openldap openldap-clients
ALT Linux:
sudo apt-get install openldap-common
Add information about the directory service in the /etc/ldap/ldap.conf file for Debian-based and RedHat-based distributions, in the /etc/openldap/ldap.conf file for ALT Linux:
BASE dc=...,dc=...
URI ldap[s]://<IP address or server domain name>:<port>
Where:
BASE. Domain components. All necessary information can be obtained from administrator of the network, in which the server is located.
URI. Directory service server URL. Specify the ldap scheme if the server is set up by TCP protocol, or specify the ldaps scheme if TLS/SSL protocol is used. The default port number: 389 for ldap, 636 for ldaps. To work with subdomains via the main domain controller, specify the 3268 port (global directory).
Set parameters of comparison between directory service attributes and security subject attributes in Foresight Analytics Platform and specify user credentials to connect to the directory service in the settings.xml file. If required, connect additional controllers for domains or subdomains.
Download and start OpenSSL installer. OpenSSL is installed to the default folder: C:\Program Files\OpenSSL-Win64.
Add the path to the bin folder - C:\Program Files\OpenSSL-Win64\bin to the PATH system variable.
Set parameters of comparison between directory service attributes and security subject attributes in Foresight. Analytics Platform and specify user credentials to connect to the directory service in the settings.xml file. If required, connect additional controllers for main domain controller or subdomains.
Determine the settings that manage work in the current network and determine connection parameters to various domains in OpenLDAP and Kerberos configuration files. The setup is executed according to the OpenLDAP and Kerberos documentation. The defined settings should take into account work parameters of the current computer network and must be coordinated with network administrator.
If authentication should work using GSSAPI protocol on LDAP and PostgreSQL servers, one should install MIT Kerberos for Windows 4.1 (bitness should be the same as of Foresight Analytics Platform).
Examples of the settings.xml file for the Active Directory service depending on OS type, on which Foresight Analytics Platform works:
<Configuration>
<Root>
<Key Name="PP">
<BIS>
<Key Name="System">
<MultiDomain>
<Key Name="name of domain 1" Proto="LDAP" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=..." libldap="libldap-2.4.so.2" liblber="liblber-2.4.so.2">
<controllers>
<Key Name="name of controller 1" url="ldap[s]://IP address or server domain name:port" />
<Key Name="name of controller 2" url="ldap[s]://IP address or server domain name:port" />
</controllers>
<user filter="(&(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&(member=%1)(objectClass=group)(sAMAccountType=268435456))">
<Key Name="a0" filter="user" ldap="objectClass"/>
<Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
<Key Name="a2" map_to="Name" ldap="sAMAccountName" make_upn="1"/>
<Key Name="a3" map_to="Sid" ldap="objectSid"/>
<Key Name="a4" map_to="DisplayName" ldap="cn"/>
<Key Name="a5" map_to="Descr" ldap="displayName"/>
<Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
<Key Name="a7" map_to="LookupName" ldap="userPrincipalName"/>
<Key Name="a8" map_to="LookupName" ldap="displayName"/>
<Key Name="a9" map_to="LookupName" ldap="cn"/>
</user>
<group filter="(&(objectClass=group)(sAMAccountType=268435456))">
<Key Name="a0" filter="group" ldap="objectClass"/>
<Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
<Key Name="a2" map_to="Name" ldap="sAMAccountName"/>
<Key Name="a3" map_to="Sid" ldap="objectSid"/>
<Key Name="a4" map_to="DisplayName" ldap="cn"/>
<Key Name="a5" map_to="Descr" ldap="description"/>
<Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
<Key Name="a7" map_to="LookupName" ldap="description"/>
</group>
<credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
</Key>
<Key Name="name of subdomain 1" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=...">
<controllers>
<Key Name="name of controller 1" url="ldap[s]://IP address or server domain name:port" />
<Key Name="name of controller 2" url="ldap[s]://IP address or server domain name:port" />
</controllers>
<user filter="(&(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&(member=%1)(objectClass=group)(sAMAccountType=268435456))">
...
</user>
<group filter="(&(objectClass=group)(sAMAccountType=268435456))">
...
</group>
<credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
</Key>
<Key Name="name of subdomain 2" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=...">
<controllers>
<Key Name="name of controller 1" url="ldap[s]://IP address or server domain name:port" />
<Key Name="name of controller 2" url="ldap[s]://IP address or server domain name:port" />
</controllers>
<user filter="(&(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&(member=%1)(objectClass=group)(sAMAccountType=268435456))">
...
</user>
<group filter="(&(objectClass=group)(sAMAccountType=268435456))">
...
</group>
<credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
</Key>
<Key Name="name of domain 2" Proto="LDAP" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=..." libldap="libldap-2.4.so.2" liblber="liblber-2.4.so.2">
...
</Key>
</MultiDomain>
<Gssapi libgssapi="libgssapi_krb5.so.2" libkrb5="libkrb5.so.3"/>
</Key>
</BIS>
</Key>
</Root>
</Configuration>
<Configuration>
<Root>
<Key Name="PP">
<BIS>
<Key Name="System">
<MultiDomain>
<Key Name="name of domain 1" Proto="LDAP" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=..." libldap="libldap.dll" liblber="libldap.dll">
<controllers>
<Key Name="name of controller 1" url="ldap[s]://IP address or server domain name:port" />
<Key Name="name of controller 2" url="ldap[s]://IP address or server domain name:port" />
</controllers>
<user filter="(&(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&(member=%1)(objectClass=group)(sAMAccountType=268435456))">
<Key Name="a0" filter="user" ldap="objectClass"/>
<Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
<Key Name="a2" map_to="Name" ldap="sAMAccountName" make_upn="1"/>
<Key Name="a3" map_to="Sid" ldap="objectSid"/>
<Key Name="a4" map_to="DisplayName" ldap="cn"/>
<Key Name="a5" map_to="Descr" ldap="displayName"/>
<Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
<Key Name="a7" map_to="LookupName" ldap="userPrincipalName"/>
<Key Name="a8" map_to="LookupName" ldap="displayName"/>
<Key Name="a9" map_to="LookupName" ldap="cn"/>
</user>
<group filter="(&(objectClass=group)(sAMAccountType=268435456))">
<Key Name="a0" filter="group" ldap="objectClass"/>
<Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
<Key Name="a2" map_to="Name" ldap="sAMAccountName"/>
<Key Name="a3" map_to="Sid" ldap="objectSid"/>
<Key Name="a4" map_to="DisplayName" ldap="cn"/>
<Key Name="a5" map_to="Descr" ldap="description"/>
<Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
<Key Name="a7" map_to="LookupName" ldap="description"/>
</group>
<credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
</Key>
<Key Name="name of subdomain 1" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=...">
<controllers>
<Key Name="name of controller 1" url="ldap[s]://IP address or server domain name:port" />
<Key Name="name of controller 2" url="ldap[s]://IP address or server domain name:port" />
</controllers>
<user filter="(&(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&(member=%1)(objectClass=group)(sAMAccountType=268435456))">
...
</user>
<group filter="(&(objectClass=group)(sAMAccountType=268435456))">
...
</group>
<credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
</Key>
<Key Name="name of subdomain 2" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=...">
<controllers>
<Key Name="name of controller 1" url="ldap[s]://IP address or server domain name:port" />
<Key Name="name of controller 2" url="ldap[s]://IP address or server domain name:port" />
</controllers>
<user filter="(&(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&(member=%1)(objectClass=group)(sAMAccountType=268435456))">
...
</user>
<group filter="(&(objectClass=group)(sAMAccountType=268435456))">
...
</group>
<credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
</Key>
<Key Name="name of domain 2" Proto="LDAP" url="ldap[s]://IP address or server domain name:port" base="dc=...,dc=..." libldap="libldap.dll" liblber="libldap.dll">
...
</Key>
</MultiDomain>
<Gssapi libgssapi_32="gssapi32.dll" libgssapi_64="gssapi64.dll" libkrb5_32="krb5_32.dll" libkrb5_64="krb5_64.dll"/>
</Key>
</BIS>
</Key>
</Root>
</Configuration>
The MultiDomain section contains settings of domains and subdomains. One can connect additional domain controllers for domains and subdomains. Parameters of connection to domains and subdomains are specified in Key child elements.
If user names do not contain domain name, reconnect users in the current repository before setting up multidomain authentication.
NOTE. Several independent domain controllers are supported only if built-in authorization is used. If built-in authorization is not used, it is recommended to specify one domain to avoid work issues, for example, on using groups with equal names in different domains.
Features of attributes use in the Key element:
Name. Domain or subdomain name. To specify domain, set NetBIOS domain name (unique name in the settings.xml file configuration).
Proto. The used implementation of interaction with directory services:
LDAP. For OpenLDAP client.
GC. For Active Directory Windows client. Is it supported only in Windows OS and is recommended to be used.
When setting up access permissions and granting privileges to domain users via domain groups, take into account then following:
If an attribute is set to GC, repository connection returns information about all domain groups included nested ones.
If an attribute is set to LDAP, repository connection returns information only about first0level domain groups.
IMPORTANT. Values of the Proto, libldap and liblber attributes are taken into account only in the first specified Key element. The rest of the settings of domains and subdomains should correspond to the same value of the Proto attribute.
url. Directory service server URL in the format: ldap[s]://<IP address or domain server name>:<port>. Specify the ldap scheme if the server is set up by TCP protocol, or specify the ldaps scheme if TLS/SSL protocol is used. The default port number: 389 for ldap, 636 for ldaps.
base. Unique identifier corresponding to the root element of domain or subdomain for searching objects in the directory. The identifier contains includes a set of domain or subdomain components as a string: Distinguished Names in the directory service. All necessary information can be obtained from administrator of the network, in which the server is located.
NOTE. An attribute can be set only in one of the files: ldap.conf or settings.xml. By default, ldap.conf is contained in the folder: /etc/ldap in Debian-based distributions, /etc/openldap in RedHat-based distributions, and ALT Linux, C:\OpenLDAP in Windows OS.
Additional domain controllers are used as alternative ones if the main domain controller or subdomain are unavailable after three connection attempts. If connection with one controller is interrupted, and another controller becomes active, the active user session is maintained active too.
The list of additional domain controllers is set in the controllers section with the Key elements in the Key parent element, which corresponds to the specified main domain controllers or subdomain. Available attributes of the Key sections:
Name. Controller name.
url. Controller URL.
The example of the controllers section:
<controllers>
<Key Name="name of controller 1" url="ldap[s]://IP address or server domain name:port" />
<Key Name="name of controller 2" url="ldap[s]://IP address or server domain name:port" />
</controllers>
Each domain or subdomain can contain the user and group sections, in which Key elements are determined.
Features of attributes use in the Key element:
filter. Advanced search filter by subject type: user or group.
map_to. Correspondence ldap attributes for searching and adding domain subjects (users or groups) in the security manager. The attribute contains the following values:
Descr. Subject description. It is displayed as a value of the Description parameter in user or group properties.
DisplayName. Full domain user name. It is displayed as a value of the Full Name parameter in user properties.
EMail. Default subject email. It is set as a value of the IUserProfile.Email property.
SamAccountName. User name without taking into account domain in the format <domain>\<name>.
UserPrincipalName. User name taking into account domain in the format <name>@<domain>. If it is not specified, the value should be created using Name value with the make_upn attribute. It is set as a value of the ISecuritySubject.UserPrincipalName property.
Name. Subject name creation method. It can contain the make_upn attribute with the 1 value for creating UserPrincipalName based on the Name value taking into account domain.
NOTE. If the Name value is used with the make_upn attribute, DistinguishedName should be set with the get_full_domain attribute.
If the map_to attribute is set to Name, and the ldap attribute is set to sAMAccountName, the domain name is always added to the value obtained from LDAP directory: DOMAIN\ATTRVALUE.
DistinguishedName. Unique subject name in the format determined for the directory service, for example: CN=user,OU=group,DC=domain,DC=ru. It is used to create the UserPrincipalName value if the Name value is set with the make_upn attribute. It may contain the get_full_domain attribute with the 1 value. It is set as a value of the ISecuritySubject.DistinguishedName property.
Sid. Subject identifier. It may contain the sid_prefix attribute with the 1 value that adds the LDAP- prefix to the original SID identifier. It is set as a value of the ISecuritySubject.Sid property.
LookupName. The value of ldap attribute, by which domain subjects will be searched.
NOTE. At least one map_to attribute with the LookupName value should be specified for ldap attribute.
When specifying a name creation method for the Name subject make sure that the following conditions are satisfied for subject names:
Name cannot be empty, should not end with \ and contains the (DOMAIN\NAME) domain.
Name can match with UPN. Name cannot be empty for UPN users and should contain the @ character.
Sid cannot be empty.
Subjects with invalid names are skipped, and one of the following errors is displayed in the log:
LDAP: Name cannot be empty.
LDAP: Name '<NAME>' should contain domain.
LDAP: Name '<NAME>' should not end with '\\' symbol.
LDAP: Sid cannot be empty.
LDAP: UserPrincipalName cannot be empty.
LDAP: UserPrincipalName '<UPN>' should contain '@'.
If all subjects were skipped, check again settings of the map_to attribute.
Each main domain or subdomain should contain the credentials element with the attributes:
realm. Domain name.
Crs/Crsa. Credentials for connecting to directory service server in the encrypted form. Encrypted values of these attributes can be obtained using the PP.Util utility by means of the /encrypt_creds parameter.
username/password. User name and password in the opened form. They are used to provide compatibility with earlier versions of Foresight Analytics Platform. If both pairs of attributes are specified, encrypted credentials will be used.
TIP. For safety reasons, it is recommended to use encrypted credentials. If both pairs of attributes Crs/Crsa and username/password are specified, the higher priority is given to the Crs/Crsa attributes.
mechanism. Directory server connection mechanism, for example, GSSAPI. If an empty string is specified or ldap protocol based directory service server URL is set in the url attribute, the SASL SIMPLE mechanism is used.
NOTE. Make sure that the used mechanism is supported by directory service server.
See also:
Creating User Accounts and Working with Them | Connecting Domain User | Connecting Domain Group
