This section describes how to retrieve user and group information from an LDAP directory (Microsoft Active Directory in this example), using Kerberos, when OmniGroupServer is installed on Linux.
To retrieve security information from an LDAP directory
Log on to the Windows Domain Controller and complete the following steps:
Domain\OGSUser
).Generate a keytab file:
ktpass -out ogsuser_domain.keytab -princ ogsuser/linux_ogs_host.domain@kerberos_realm -mapUser DOMAIN\ogsuser -mapOp set -pass P4ssw0rd! -crypto all -ptype KRB5_NT_PRINCIPAL
This command must be entered on one line.
.keytab
file that is generated to the machine that hosts OmniGroupServer.On the machine that hosts OmniGroupServer, run kinit
using the keytab file that you generated.
kinit -k -t /path/to/ogsuser_domain.keytab -c /path/to/ogsuser_domain.krbcache ogsuser/linux_ogs_host.domain@kerberos_realm
In the [Repositories]
section, create a repository to store the LDAP groups. For example:
[Repositories] Number=1 0=LDAP
Create a section to contain the task details and set the following configuration parameters:
GroupServerLibrary
|
The path (including the file name) to the library file that allows the group server to access the repository. Use the LDAP group server library, ogs_ldap . |
LDAPServer
|
The host name or IP address of the machine that hosts the LDAP directory. |
LDAPPort
|
The port to use to access the LDAP directory. |
LDAPBase
|
The distinguished name of the search base. |
LDAPType
|
The type of LDAP server (for example, MAD for Microsoft Active Directory). |
LDAPSecurityType
|
The type of security to use when communicating with the LDAP server (for example, SSL or TLS ). |
LDAPBindMethod
|
The type of authentication to use to access the LDAP directory. Set this parameter to KERBEROS . |
For example:
[Default] GroupServerStartTime=now GroupServerCycles=-1 GroupServerRepeatSecs=86400 GroupServerCaseInsensitive=TRUE GroupServerShowAlternativeNames=TRUE GroupServerMaxDatastoreQueue=100000 [Repositories] ... GroupServerDefaultRepositories=LDAP 0=LDAP [LDAP] GroupServerLibrary=ogs_ldap LDAPServer=ldap.mydomain.com LDAPPort=389 LDAPBase=DC=mydomain,DC=com LDAPType=MAD LDAPBindMethod=KERBEROS
For a complete list of configuration parameters that you can use, refer to the OmniGroupServer Reference.
Save and close the OmniGroupServer configuration file.
Run OmniGroupServer using the following command, replacing the paths with the correct paths for your system:
KRB5CCNAME=FILE:/path/to/ogsuser_domain.krbcache KRB5_KTNAME=FILE:/path/to/ogsuser_domain.keytab nohup ./omnigroupserver.exe &
|