SSO Configuration of Jedox Server on Linux

Example values:
  • The given domain is “jedoxsso“.
  • The group is named “ssogroup“.
  • The Group that needs to be created in Jedox needs to be named “jedoxsso\ssogroup“.
    For reference, see: SSO Authorization Mode or SSO Authentication Mode
  • The Netbiosname of the Jedox Server in this example is “JedoxServer
  • The example address for the AD is as follows:
    • IP: “
    • FQDN: “ADServer.jedoxsso.local
    • Shortname: “ADServer

Configuration steps:

Note: Jedox is installed inside of a “cage” or “chroot” environment. All files mentioned here are inside of the Jedox Environment.

From outside of the cage, switch to the cage with:
cd /opt/jedox/ps

Then start Jedox with:
sudo ./ start

Inside the cage switch to chroot:
sudo chroot .

netbios name“,
and “idmap config” information to match your environment.

[global] netbios name = JedoxServer
workgroup = JEDOXSSO
security = ADS
encrypt passwords = yes
idmap config *:backend=tdb
idmap config *:range=2000-9999
idmap config JEDOXSSO:backend=rid
idmap config JEDOXSSO:schema_mode=rfc2307
idmap config JEDOXSSO:range=10000-99999
winbind nss info = rfc2307
winbind trusted domains only=no
winbind use default domain=yes
winbind enum users=yes
winbind enum groups=yes
winbind refresh tickets=Yes
vfs objects=acl_xattr
map acl inherit=Yes
store dos attributes=Yes
idmap_ldb:use rfc2307=Yes

default_realm” to match your domain address.

[logging] default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = JEDOXSSO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

search” and “nameserver” to match your environment.

Comment out the lines 17 and 20:
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#[ ${NETWORKING} = "no" ] && exit 1

IP” ,”FQDN” and the “Netbiosname” of your AD server. localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 ADServer.jedoxsso.local ADServer


Activate SSO in the Jedox OLAP (In-Memory DB) server
Add one of these parameters:

windows-sso  (enables SSO Authorization Mode)
windows-sso-authentication (enables SSO Authentication Mode)

To activate the automatic login, change the settings in
define('CFG_AUTH_SSO', false);
define('CFG_AUTH_SSO', true);

Note: In Jedox Web, SSO only works against a single external Jedox OLAP connection that matches the one in config.php. You cannot use multiple Jedox OLAP instances on the same server.

If it is missing, create the following:
mkdir /var/log/samba/cores
chmod -R 700 /var/log/samba/cores
chown -R root:systemd-network /var/log/samba/cores

If it exists, delete the following:
rm /var/lib/samba/winbindd_privileged
chown -R root:systemd-network /var/lib/samba/winbindd_privileged

net ads join -U <username with enough rights to join domain>
net join -S ADServer.jedoxsso.local -U <username with enough rights to join domain>

Then it should look like the following example:
bash-4.2# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- JEDOXSSO
Joined 'JEDOXSERVER' to dns domain 'jedoxsso.local'

If you get an error, refer to troubleshooting.

Check for a broken winbind process. If there is any, kill it as in the example below:
bash-4.2# ps uax | grep winbindd
root 26156 0.0 0.0 376560 6776 ? Ss 07:35 0:00 winbindd
root 26158 0.0 0.1 380976 7640 ? S 07:35 0:00 winbindd
root 26715 0.0 0.0 379060 4644 ? S 09:01 0:00 winbindd
kill -9 26156
kill -9 26158
kill -9 26715

Start winbind:
/etc/init.d/winbind start
Leave chroot with the command:

You are still in:
Restart Jedox with:
./ restart

Next SSO configuration step: creating groups in Jedox according to SSO Authorization Mode or SSO Authentication Mode.