|
|
|
|
|
|
|
|
|
|
- Overview
- Prerequisites
- Implementation for a Windows HFSQL server
- Automatic setup
- Manual installation
- Implementation for a Linux HFSQL server
- Use
- Connection
- Managing rights on the server
Authentication via Active Directory
 Available only with this kind of connection
Kerberos is an authentication mode based on the use of tickets and secret keys. This mode is used by Windows and the Active Directory. From version 23, you have the ability to configure the HFSQL server so that it authenticates the users according to the Kerberos standard. The Kerberos account (Active Directory, etc.) is used. Before implementing an authentication via Active Directory, a user account of domain must be created. This account must have at least the following permissions: - read and write access to the database directory and to the HFConf.INI file.
- access rights (at least Read and Write for automatic data updates) on server binaries (manta64.exe, *.exe, etc.).
Note: To make high-performance hot backups, you must have the corresponding local right to the volume ("Perform volume maintenance tasks").. Implementation for a Windows HFSQL server Automatic setup When installing or updating an HFSQL server in version 23 (or later), the setup wizard automatically performs the necessary steps. Once the HFSQL server is installed, the server setting must be finalized. To do so, start the following command line by using an account with rights on the domain: setspn -U -S HFSQL/<srv1.mondomaine.com> <nom du compte> where: - <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
- <account name> is the name of user account of domain created in the prerequisite.
Manual installation For information, the following steps are used to implement the authentication via Active Directory for an HFSQL server for Windows (version 23 or later): - Install an HFSQL server (version 23 or later) on a computer.
- Modify the account running the service of HFSQL server to use the user account of domain created in the prerequisite.
Warning: This account must have access rights to the database directory and the HFConf.INI file.. - Create the ServicePrincipalName by running the following command line with an account with rights on the domain:
setspn -U -S HFSQL/<srv1.mondomaine.com> <nom du compte> - <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
- <account name> is the name of user account of domain created in the prerequisite.
- Enable the support for Active Directory in the server:
Implementation for a Linux HFSQL server The following steps are used to implement the authentication via Active Directory for an HFSQL server for Linux (version 23 or later): - Join the server to the domain if necessary. The following command can be used on a recent Linux:
>sudo realm join mondomaine.com -U 'admin@MONDOMAIN.COM' -v - mydomain.com is the domain name.
- admin@MYDOMAIN.COM is an account with the necessary rights to add a computer into the domain.
- Check whether the server gets information from the Active Directory controller by typing the command:
>id <nom du compte>@mondomain.com
The following information is displayed:
uid= 10003(<nom du compte>@mondomain.com)
gid= 10000(utilisa.dudomaine@mondomain.com)
groups= 10000(utilisa.dudomaine@mondomain.com), 10000(compta@mondomain.com) - Create the ServicePrincipalName by running the following command line on a Windows computer with an account with rights on the domain:
setsnp -U -S HFSQL/<srv1.mondomaine.com> <nom du compte> - <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
- <account name> is the name of domain account created in the prerequisite.
- Configure the "keytab":
>kinit <nom du compte>@MONDOMAIN.COM
>kvno HFSQL/srv1.mondomain.com
HFSQL/srv1.mondomain.com@MONDOMAIN.COM:kvno = 2
>ktutil
ktutil: addent -password -p HFSQL/srv1.mondomain.com@MONDOMAIN.COM -k
<kvno> -e aes256-cts-hmac-sha1-96
ktutil: addent -password -p HFSQL/srv1.mondomain.com@MONDOMAIN.COM -k
<kvno> -e rc4-hmac
ktutil: wkt /opt/<nom du compte>/<nom du compte>.keytab
quit
where: - <kvno> is the number returned by the kvno command,
- srv1.mydomain.com is the full name of server computer,
- MYDOMAIN.COM is the domain name (always in uppercase characters).
- <account name> is the name of domain account created in the prerequisite.
In the code, adapt the path of 'wkt' command to store the "keytab" at an appropriate location. Check whether the HFSQL server has sufficient rights to access this file. - The "libgssapi_krb5.so" library is required. Depending on the distribution, you may have to create a symbolic link from "libgssapi_krb5.so.x" to "libgssapi_krb5.so".
- Configure the HFSQL server by adding the following lines into the HFConf.ini file of server:
[ActiveDirectory]
Enable=1
KerberosKeyFile=/opt/<nom du compte>/<nom du compte>.keytab
where <account name> is the name of domain account created in the prerequisite.
Connection The following syntax allows you to use a connection with an authentication via Active Directory: cnx_sso is Connection
cnx_sso.Provider = hAccessHFClientServer
cnx_sso.Serveur = "srv1.mondomaine.com"
cnx_sso.ActiveDirectory = True
This connection allows you to connect to the server using the current user's identity.. The user does not have to type his login information again (Single Sign-On). Note: Under Windows and Linux with a compatible Kerberos layer, you can force the use of another domain account using the following syntax: cnx is Connection
cnx.Provider = hAccessHFClientServer
cnx.Serveur = "srv1.mondomaine.com"
cnx.ActiveDirectory = True
cnx.Utilisateur = "<Nom du compte>@mondomaine.com"
cnx.MotDePasse = "xxxxxx"
Managing rights on the server On the HFSQL server, you have the ability to create users and groups corresponding to domain accounts and domain groups respectively. When a user connects with a domain account: - The list of groups to which the user belongs is automatically updated from information about domain groups.
- If the user does not exist but if he belongs to a domain group with a corresponding HFSQL group, the user account is automatically created (without rights, it inherits from the group rights).
This page is also available for…
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|