SSO Configuration of Jedox Server on Linux

image_pdfimage_print

Below is a sample SSO configuration of a Jedox Server on Linux. You can use this configuration as a guide when setting up your own system.

The following definitions are used in the example:

  • Domain is jedoxsso
  • Group name is ssogroup
  • Jedox group name (to be created during setup) is jedoxsso\ssogroup (see note below)
    For reference, see SSO Authorization Mode or SSO Authentication Mode
  • NetBIOSname of the Jedox Server is JedoxServer
  • Example address for the Active Directory (AD) is:
    • IP: 192.168.2.30
    • FQDN: ADServer.jedoxsso.local
    • Shortname: ADServer

Note: the default domain separator in Windows is backslash (\), which is an escape character in UNIX/Linux systems. In some environments, this behavior may result in failure to obtain a user’s groups upon login. To avoid problems, you can change the default domain separator to a more benign character, such as +. To do so, add the following line to /etc/samba/smb.conf:
winbind separator =+
Then create the Jedox groups using the new separator, e.g. DOMAIN+GroupName instead of DOMAIN\GroupName.

Configuration steps:

Note: Jedox is installed inside of a cage or chroot environment. All files mentioned here are inside of the Jedox Environment.

From outside of the cage, switch to the cage with:
cd /opt/jedox/ps

Then start Jedox with:
sudo ./jedox-suite.sh start

Inside the cage switch to chroot:
sudo chroot .

/etc/samba/smb.conf:
Adjust the following settings to match your environment:

  • netbios name
  • workgroup
  • realm
  • idmap config

[global] netbios name = JedoxServer

workgroup = JEDOXSSO

security = ADS
realm = JEDOXSSO.LOCAL
encrypt passwords = yes
idmap config *:backend=tdb

idmap config *:range=2000-9999


idmap config JEDOXSSO:backend=rid


idmap config JEDOXSSO:schema_mode=rfc2307


idmap config JEDOXSSO:range=10000-99999

winbind nss info = rfc2307
winbind use default domain=yes
winbind enum users=yes
winbind enum groups=yes
winbind refresh tickets=Yes
vfs objects=acl_xattr
map acl inherit=Yes
store dos attributes=Yes
idmap_ldb:use rfc2307=Yes

/etc/krb5.conf:
Adjust default_realm to match your domain address.

[logging] default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = JEDOXSSO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

/etc/resolv.conf:
Adjust search and nameserver to match your environment.
search JEDOXSSO.LOCAL
nameserver 192.168.2.30

/etc/rc.d/init.d/winbind:
Comment out lines 17 and 20 using a hashtag (#):
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#[ ${NETWORKING} = "no" ] && exit 1

/etc/hosts:
Add IP, FQDN, and the NetBIOSname of your AD server.

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.30 ADServer.jedoxsso.local ADServer

/etc/hostname:
JedoxServer

Activate SSO in the In-Memory DB (OLAP) server

/Data/palo.ini:
Add one of these parameters:

windows-sso  (enables SSO Authorization Mode)
or:
windows-sso-authentication (enables SSO Authentication Mode)

To activate the automatic login, change the settings in
/httpd/app/etc/config.php:
from:
define('CFG_AUTH_SSO', false);
to:
define('CFG_AUTH_SSO', true);

Note: In Jedox Web, SSO only works against a single external Jedox OLAP connection that matches the one in config.php. You cannot use multiple Jedox OLAP instances on the same server.

If they are missing, create the following lines:
mkdir /var/log/samba/cores
chmod -R 700 /var/log/samba/cores
chown -R root:systemd-network /var/log/samba/cores

If they exist, delete and recreate the following lines:
rm -R /var/lib/samba/winbindd_privileged
mkdir /var/lib/samba/winbindd_privileged
chown -R root:systemd-network /var/lib/samba/winbindd_privileged

Join:
net ads join -U <username with enough rights to join domain>
or:
net join -S ADServer.jedoxsso.local -U <username with enough rights to join domain>

Then it should look like the following example:
bash-4.2# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- JEDOXSSO
Joined 'JEDOXSERVER' to dns domain 'jedoxsso.local'

If you get an error, refer to Samba Troubleshooting.

Check for a broken winbind process. If there is any, kill it as in the example below:
bash-4.2# ps uax | grep winbindd
root 26156 0.0 0.0 376560 6776 ? Ss 07:35 0:00 winbindd
root 26158 0.0 0.1 380976 7640 ? S 07:35 0:00 winbindd
root 26715 0.0 0.0 379060 4644 ? S 09:01 0:00 winbindd
kill -9 26156
kill -9 26158
kill -9 26715

After joining the domain, make sure jedoxweb group has access to secrets.tdb:
chown root:jedoxweb /var/lib/samba/private/secrets.tdb
chmod 0770 /var/lib/samba/private/secrets.tdb

Start winbind:
/etc/init.d/winbind start
Leave chroot with the command:
exit.

You are still in:
/opt/jedox/ps

Restart Jedox with:
./jedox-suite.sh restart

Next SSO configuration step: creating groups in Jedox according to SSO Authorization Mode or SSO Authentication Mode.

image_pdfimage_print