|
|
|
|
|
- Overview
- Prerequisite
- Implementation for a Windows HFSQL server
- Automatic setup
- Manual setup
- Implementation for a Linux HFSQL server
- Use
- Connection
- Managing rights on the server
Authentication via Active Directory
Available only with this kind of connection
Kerberos is an authentication mode based on the use of tickets and secret keys. This mode is used by Windows and the Active Directory. From version 23, you have the ability to configure the HFSQL server so that it authenticates the users according to the Kerberos standard. The Kerberos account (Active Directory, etc.) is used. Before implementing an authentication via Active Directory, a user account of domain must be created. This account must have at least the following permissions: - read and write access to the database directory and to the HFConf.INI file.
- read and write access for automatic data update on the server binaries (manta64.exe, *.exe...)
Remark: To make efficient hot backups, you must have the corresponding local permissions on the volume ("Perform volume maintenance tasks"). Implementation for a Windows HFSQL server Automatic setup When installing or updating an HFSQL server in version 23 (or later), the setup wizard automatically performs the necessary steps. Once the HFSQL server is installed, the server setting must be finalized. To do so, start the following command line by using an account with rights on the domain: setspn -U -S HFSQL/<srv1.mydomain.com> <account name> where: - <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
- <account name> is the name of user account of domain created in the prerequisite.
Manual setup For information, the following steps are used to implement the authentication via Active Directory for an HFSQL server for Windows (version 23 or later): - Install an HFSQL server (version 23 or later) on a computer.
- Modify the account running the HFSQL server service to use the user account of the domain created in the prerequisite.
Caution: This account must have the rights to access the database directory and the HFConf.INI file. - Create the ServicePrincipalName by running the following command line with an account with rights on the domain:
setspn -U -S HFSQL/<srv1.mydomain.com> <account name> where: - <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
- <account name> is the name of user account of domain created in the prerequisite.
- Enable the support for Active Directory in the server:
Implementation for a Linux HFSQL server The following steps are used to implement the authentication via Active Directory for an HFSQL server for Linux (version 23 or later): - Join the server to the domain if necessary. The following command can be used on a recent Linux:
>sudo realm join mydomain.com -U 'admin@MYDOMAIN.COM' -v where: - mydomain.com is the domain name.
- admin@MYDOMAIN.COM is an account with the necessary rights to add a computer into the domain.
- Check whether the server gets information from the Active Directory controller by typing the command:
>id <account name>@mydomain.com where <account name> is the name of the user account of the domain created in the prerequisite. The following information is displayed:
uid= 10003(<account name>@mydomain.com) gid= 10000(user.ofdomain@mydomain.com) groups= 10000(user.ofdomain@mydomain.com), 10000(account@mydomain.com) - Create the ServicePrincipalName by running the following command line on a Windows computer with an account with rights on the domain:
setsnp -U -S HFSQL/<srv1.mydomain.com> <account name> where: - <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
- <account name> is the name of the domain account created in the prerequisite.
- Configure the "keytab":
>kinit <account name>@MYDOMAIN.COM >kvno HFSQL/srv1.mydomain.com HFSQL/srv1.mydomain.com@MYDOMAIN.COM:kvno = 2 >ktutil ktutil: addent -password -p HFSQL/srv1.mydomain.com@MYDOMAIN.COM -k <kvno> -e aes256-cts-hmac-sha1-96 ktutil: addent -password -p HFSQL/srv1.mydomain.com@MYDOMAIN.COM -k <kvno> -e rc4-hmac ktutil: wkt /opt/<account name>/<account name>.keytab quit where: - <kvno> is the number returned by the kvno command,
- srv1.mydomain.com is the full name of server computer,
- MYDOMAIN.COM is the domain name (always in uppercase characters).
- <account name> is the name of the domain account created in the prerequisite.
In the code, adapt the path of 'wkt' command to store the "keytab" at an appropriate location. Check whether the HFSQL server has sufficient rights to access this file. - The "libgssapi_krb5.so" library is required. Depending on the distribution, you may have to create a symbolic link from "libgssapi_krb5.so.x" to "libgssapi_krb5.so".
- Configure the HFSQL server by adding the following lines into the HFConf.ini file of server:
[ActiveDirectory] Enable=1 KerberosKeyFile=/opt/<account name>/<account name>.keytab where <account name> is the name of the domain account created in the prerequisite.
Connection The following syntax allows you to use a connection with an authentication via Active Directory: cnt_sso is Connection cnt_sso.Provider = hAccessHFClientServer cnt_sso.Server = "srv1.mydomain.com" cnt_sso.ActiveDirectory = True
This connection allows you to connect to the server by using the identity of current user. The user does not have to type his login information again (Single Sign-On). Note: In Windows and in Linux equipped with a compatible Kerberos layer, the following syntax allows you to force the use of another domain account: cnt is Connection cnt.Provider = hAccessHFClientServer cnt.Server = "srv1.mydomain.com" cnt.ActiveDirectory = True cnt.User = "<Account name>@mydomain.com" cnt.Password = "xxxxxx"
Managing rights on the server On the HFSQL server, you have the ability to create users and groups corresponding to domain accounts and domain groups respectively. When a user connects with a domain account: - The list of groups to which the user belongs is automatically updated from information about domain groups.
- If the user does not exist but if he belongs to a domain group with a corresponding HFSQL group, the user account is automatically created (without rights, it inherits from the group rights).
This page is also available for…
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|