The tool supports interface of Foresight Analytics Platform 9 or earlier.

Working with Directory Services

When generating a repository security subsystem, users and groups are created in the security manager. If the user plan to log in to a repository using domain/integrated domain authentication, in the security manager add domain users and domain groups.

Foresight Analytics Platform gets information about domain security subjects from the domain directory service or global directory that must be set up in the computer network. Interaction depends on the type of the directory service in use and the operating system installed at directory service server. The following directory services are supported: Active Directory, OpenLDAP.

NOTE. Interaction with directory services is executed only via the LDAP protocol.

If connection to the directory service of the current domain (global directory of the current network) is executed, and the service is based on Active Directory (Windows OS), advanced settings do not need to be done in Foresight Analytics Platform.

If the directory service is located at Linux OS server, or it is required to connect to the directory service in the network other than the current one (Linux or Windows OS server), then the OpenLDAP (open implementation of the LDAP protocol) will be used for communication. If the access to the directory service is executed in Linux OS, the OpenLDAP system libraries are used. In Windows OS one will require installation of the external software providing OpenLDAP implementation (for example, OpenLDAP for Windows).

If authentication should work using GSSAPI protocol, one should install MIT Kerberos for Windows 4.1 on LDAP and PostgreSQL servers (bitness should be the same as of Foresight Analytics Platform). It will also be necessary to adapt configuration files:

  1. In the  settings.xml set parameters of comparison between directory service attributes and security subject attributes in Foresight Analytics Platform) and specify user credentials to connect to the directory service. If required, connect additional controllers for main domain controller or subdomains.

  2. In the OpenLDAP and Kerberos configuration files determine the settings that manage work in the current network and define connection settings to various domains. The setup is executed according to the OpenLDAP and Kerberos documentation. The defined settings should take into account work parameters of the current computer network and must be coordinated with network administrator.

Examples of the settings.xml file depending on OS type, on which the directory service is based:

<Configuration>
  <Root>
    <Key Name="PP">
      <BIS>
        <Key Name="System">
          <Ldap Proto="LDAP" url="ldap://IP address or domain server name:port" base="dc=...,dc=..." libldap="libldap-2.4.so.2" liblber="liblber-2.4.so.2">
            <user filter="(&amp;(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&amp;(member=%1)(objectClass=group)(sAMAccountType=268435456))">
              <Key Name="a0" filter="user" ldap="objectClass"/>
              <Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
              <Key Name="a2" map_to="Name" ldap="sAMAccountName" make_sam_account="1" make_upn="1"/>
              <Key Name="a3" map_to="Sid" ldap="objectSid"/>
              <Key Name="a4" map_to="DisplayName" ldap="cn"/>
              <Key Name="a5" map_to="Descr" ldap="displayName"/>
              <Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
              <Key Name="a7" map_to="LookupName" ldap="userPrincipalName"/>
              <Key Name="a8" map_to="LookupName" ldap="displayName"/>
              <Key Name="a9" map_to="LookupName" ldap="cn"/>
            </user>
            <group filter="(&amp;(objectClass=group)(sAMAccountType=268435456))">
              <Key Name="a0" filter="group" ldap="objectClass"/>
              <Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
              <Key Name="a2" map_to="Name" ldap="sAMAccountName" make_sam_account="1"/>
              <Key Name="a3" map_to="Sid" ldap="objectSid"/>
              <Key Name="a4" map_to="DisplayName" ldap="cn"/>
              <Key Name="a5" map_to="Descr" ldap="description"/>
              <Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
              <Key Name="a7" map_to="LookupName" ldap="description"/>
            </group>
            <credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
          </Ldap>
          <Gssapi libgssapi="libgssapi_krb5.so.2" libkrb5="libkrb5.so.3"/>
        </Key>
      </BIS>
    </Key>
  </Root>
</Configuration>
<Configuration>
  <Root>
    <Key Name="PP">
      <BIS>
        <Key Name="System">
          <Ldap Proto="LDAP" url="ldap://IP address or domain server name:port" base="dc=...,dc=..." libldap="libldap.dll" liblber="liblber.dll" >
            <user filter="(&amp;(objectClass=user)(sAMAccountType=805306368))" groupsFilter="(&amp;(member=%1)(objectClass=group)(sAMAccountType=268435456))">
              <Key Name="a0" filter="user" ldap="objectClass"/>
              <Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
              <Key Name="a2" map_to="Name" ldap="sAMAccountName" make_sam_account="1" make_upn="1"/>
              <Key Name="a3" map_to="Sid" ldap="objectSid"/>
              <Key Name="a4" map_to="DisplayName" ldap="cn"/>
              <Key Name="a5" map_to="Descr" ldap="displayName"/>
              <Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
              <Key Name="a7" map_to="LookupName" ldap="userPrincipalName"/>
              <Key Name="a8" map_to="LookupName" ldap="displayName"/>
              <Key Name="a9" map_to="LookupName" ldap="cn"/>
            </user>
            <group filter="(&amp;(objectClass=group)(sAMAccountType=268435456))">
              <Key Name="a0" filter="group" ldap="objectClass"/>
              <Key Name="a1" map_to="DistinguishedName" ldap="distinguishedName" get_full_domain="1"/>
              <Key Name="a2" map_to="Name" ldap="sAMAccountName" make_sam_account="1"/>
              <Key Name="a3" map_to="Sid" ldap="objectSid"/>
              <Key Name="a4" map_to="DisplayName" ldap="cn"/>
              <Key Name="a5" map_to="Descr" ldap="description"/>
              <Key Name="a6" map_to="LookupName" ldap="sAMAccountName"/>
              <Key Name="a7" map_to="LookupName" ldap="description"/>
            </group>
            <credentials realm="" Crs="..." Crsa="..." mechanism="GSSAPI"/>
          </Ldap>
          <Gssapi libgssapi_32="gssapi32.dll" libgssapi_64="gssapi64.dll" libkrb5_32="krb5_32.dll" libkrb5_64="krb5_64.dll"/>
        </Key>
      </BIS>
    </Key>
  </Root>
</Configuration>

Features of attributes use in sections:

Ldap

Key

credentials

Connecting Additional Domain Controllers

One can connect additional controllers for domain main controller and subdomains, which will be used as alternative ones if the domain main controller or subdomain are unavailable after three failed connection attempts. If connection with one controller is interrupted, and another controller becomes active, the active user session is maintained active too.

The list of domain additional controllers is set in the controllers section with the Key sections. Available attributes of the Key sections:

The example of the controllers section:

<controllers>
  <Key Name="controller 1 name" url="ldap://IP address or domain server name:port" />
  <Key Name="controller 2 name" url="ldap://IP address or domain server name:port" />
</controllers>

Domain Main Controller

To connect additional controllers to the domain main controller:

  1. Create the controllers section in the Ldap section.

  2. Set the list of additional controllers in the controllers section.

Subdomains

To connect additional controllers in subdomains:

  1. Create the subdomains section in the Ldap section.

  2. Set the list of subdomains in the subdomains section with the Key sections. Available attributes of the Key sections:

  3. Create the controllers section in the corresponding subdomain - the Key section.

  4. Set the list of additional controllers in the controllers section.

The example of the subdomains section:

<subdomains>
  <Key Name="subdomain 1 name" url="ldap://IP address or domain server name:port">
    <controllers>
      <Key Name="controller 1 name" url="ldap://IP address or domain server name:port" />
      <Key Name="controller 2 name" url="ldap://IP address or domain server name:port" />
    </controllers>
  </Key>
  <Key Name="subdomain 2 name" url="ldap://IP address or domain server name:port">
    <controllers>
      <Key Name="controller 3 name" url="ldap://IP address or domain server name:port" />
      <Key Name="controller 4 name" url="ldap://IP address or domain server name:port" />
    </controllers>
  </Key>
</subdomains>

See also:

Creating User Accounts and Working with Them | Connecting Domain User | Connecting Domain Group