Caching LDAP Principal Resolution Service with Kerberos Authentication

Installation and Configuration

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2017.

 

All rights reserved. All hardware and software names are trade names and/or trademarks of their respective owners.

These documents are confidential. The delivery and presentation of these documents alone does not justify any rights whatsoever to our software, our services and service performance results or other protected rights. The disclosure, publication or reproduction is not permitted.

For reasons of easier legibility, gender differentiation has been dispensed with. In terms of equal treatment, appropriate terms apply to both sexes.


PreparationPermanent link for this heading

For configuring authentication via Active Directory with Kerberos protocol for the Mindbreeze InSpire Appliance, a few preparing steps are necessary:

Kerberos configuration on the Mindbreeze InSpire System

A service user must be added for the Mindbreeze services on the Active Directory Server and a HTTP service principal name for the hostname of the Mindbreeze InSpire Server must be configured for this user.

A privileged user is needed with read access to the file shares that are crawled.

Keytab files for the service and the privileged user should be created.

Kerberos KonfigurationPermanent link for this heading

On the InSpire Management Center access the “System” configuration section. Then using the “File Manager” tool, edit the /etc/krb5.conf file and configure the Kerberos REALMs and KDC servers.

A minimal Kerberos configuration file is:

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = MYREALM.MYCOMPANY.COM

dns_lookup_kdc = false

[realms]

MYREALM.MYCOMPANY.COM = {

   default_domain = mydomain.mycompany.com

   kdc = 192.168.123.124

}

[domain_realm]

mydomain.mycompany.com = MYREALM.MYCOMPANY.COM

Keytab FilesPermanent link for this heading

For creating the keytab files for the service user and the privileged crawler user several tools can be used, like ktpass on Microsoft Windows systems or ktutil on Linux.  

Example: create a keytab for the privileged user with ktutil

Start ktutil on the command line and carry out these commands in the ktutil shell:

addent -password -p <principal>@<REALM> -k 0 -e arcfour-hmac

(for example: addent -password -p crawler_user@MYREALM.COM -k 0 -e arcfour-hmac)

Enter the user password.

wkt <keyab_path>

The principal name in the keytab should be in the form of

username@MYREALM.COM in case of the privileged user

HTTP/<inspire_host_name>@MYREALM.COM in case of the service user (username should be the service principal name here)

Upload the keytab file using the Mindbreeze InSpire Management Center:

Open the “Configuration” menu in the Mindbreeze InSpire Management Center, then navigate to the “Authentication”. Here you can upload the generated keytab files, using the upload form from “Configure Kerberos Authentication” section. The uploaded keytab files are listed in the “Available Keytabs” section.

Configuring the Caching LDAP Principal Resolution ServicePermanent link for this heading

Open the “Configuration” menu on the Mindbreeze InSpire Management Center and navigate to the Indices Tab.

In the “Services” section add a new service to the configuration and with the “Service” dropdown menu select “CachingLdapPrincipalResolutionService” as the type of the added service.

In the “LDAP Server Settings” set the hostname of the LDAP Server where the users and groups are stored. In this section is also possible to select a username/password credential for logging in to the LDAP server. If Kerberos –based authentication is used, the credential should be set to “None”.

For using Kerberos authentication after adding the Caching LDAP Principal Resolution Service to the configuration a Kerberos keytab and principal has to be assigned for the service. On the “Authentication” tab of the Mindbreeze Configuration in the “Setup Kerberos Authentication” section the newly added service is listed. In the “Keytab and Principal” settings of the service select the keytab file which contains the password of the LDAP user and set the principal name as it is stored in the keytab file.

For setting the cache settings, return to the “Indices” Tab in the Mindbreeze configuration

Here the following configuration options should be set in the “Cache Settings” section:

Identity Encryption Credential: if identity encryption is used here the password credential for encryption should be selected.

Database Directory Path: directory where the cache database files are stored. If left empty, the system temporary directory is used

Cache Update Interval (Minutes): the interval in minutes when a cache update is performed. If the value is less than 0, the cache has to be updated manually.

Retry Update Cache Run If Was Incomplete: repeat the cache update in given amount of minutes if the cache update was incomplete.

Health Check Interval (Minutes): the interval of health check calls in minutes.

Health Check max. Retries On Failure: number of attempts for health check if a health check is not completed successfully.

Finally make sure that the “Webservice Port” of the Caching LDAP Principal Resolution Service is available.

If the principals should be converted and stored lowercase, activate the “Lovercase Principals” option.

After saving the configuration and restarting the Mindbreeze services the Caching LDAP Principal Resolution Service should be ready for use.

Using the Caching LDAP Principal Resolution Service in the Configured Data SourcesPermanent link for this heading

For using the previously configured service for authorization and principal resolving, set the “Caching Principal Resolution Service” option of the data source. In the following example, you can see a Microsoft SharePoint data source with Caching Principal Resolution Service: