SSO Configuration of Jedox Server on Linux

image_pdfimage_print

Below is a sample SSO configuration of a Jedox Server on Linux. You can use this configuration as a guide when setting up your own system.

The following definitions are used in the example:

  • Domain is jedoxsso
  • Group name is ssogroup
  • Jedox group name (to be created during setup) is jedoxsso\ssogroup (see note below)
    For reference, see SSO Authorization Mode or SSO Authentication Mode
  • NetBIOSname of the Jedox Server is JedoxServer
  • Example address for the Active Directory (AD) is:
    • IP: 192.168.2.30
    • FQDN: ADServer.jedoxsso.local
    • Shortname: ADServer

Note: the default domain separator in Windows is backslash (\), which is an escape character in UNIX/Linux systems. In some environments, this behavior may result in failure to obtain a user’s groups upon login. To avoid problems, you can change the default domain separator to a more benign character, such as +. To do so, add the following line to /etc/samba/smb.conf:

Then create the Jedox groups using the new separator, e.g. DOMAIN+GroupName instead of DOMAIN\GroupName.

Configuration steps

Note: Jedox is installed inside of a cage or chroot environment. All files mentioned here are inside of the Jedox environment.

From outside of the cage, switch to the cage with:

Then start Jedox with:

Inside the cage switch to chroot:

In /etc/samba/smb.conf adjust the following settings to match your environment:

  • netbios name
  • workgroup
  • realm
  • idmap config

In /etc/krb5.conf adjust default_realm to match your domain address.

In /etc/resolv.conf adjust search and nameserver to match your environment.

In /etc/rc.d/init.d/winbind comment out the following lines using a hashtag (#):

In /etc/hosts add IP, FQDN, and the NetBIOSname of your AD server.

Set /etc/hostname as JedoxServer

Activate SSO in the In-Memory DB (OLAP) server

In /Data/palo.ini, add one of the following parameters, depending on the desired mode.

To enable SSO authorization mode:

To enable SSO authentication mode:

To activate the automatic login, change the following setting in /httpd/app/etc/config.php to true, e.g.:

Note: In Jedox Web, SSO only works against a single external Jedox OLAP connection that matches the one in config.php. You cannot use multiple Jedox OLAP instances on the same server.

If they are missing, create the following lines:

If they exist, delete and recreate the following lines:

Join:
net ads join -U <username with enough rights to join domain>
or:
net join -S ADServer.jedoxsso.local -U <username with enough rights to join domain>

Then it should look like the following example:

If you get an error, refer to Samba Troubleshooting.

Check for a broken winbind process. If there is any, kill it as in the example below:

After joining the domain, make sure jedoxweb group has access to secrets.tdb:

Start winbind:

Leave chroot with the command:

You are still in /opt/jedox/ps. Restart Jedox with:

Next SSO configuration step: creating groups in Jedox according to SSO Authorization Mode or SSO Authentication Mode.

image_pdfimage_print