Active directory/ldap in linux-based web service – Exacq exacqVision Web Service User Manual User Manual
Page 24
www.e
x
acq.com
Page 24 of 24
6/11/2015
ACTIVE DIRECTORY/LDAP IN LINUX-BASED WEB SERVICE
To configure your Linux system for Active Directory or OpenLDAP, complete the following steps:
1. Install Kerberos. KRB5 (MIT Kerberos V5) has specifically been tested for this purpose. Installing krb5-user
and libkrb5-dev should also install krb5-config, which is valid for all Ubuntu types.
2. Configure the /etc/krb5.conf file. Add a stanza for the AD domain, and change the default realm to the AD
domain. Fully qualified domain names (FQDN) for the KDC and admin server is preferred, in case the IP
addresses will ever be changed (just make sure the FQDN resolves for the AD server). Make sure the AD
domain name is upper-case; for example:
[libdefaults]
default_realm = EXACQ.TEST.COM
[realms]
EXACQ.TEST.COM = {
kdc = adserver2008.exacq.test.com
admin_server = adserver2008.exacq.test.com
}
3. Note the AD domain, along with the FQDN and IP address of the AD server:
EXACQ.TEST.COM
adserver2008.exacq.test.com
192.168.1.70
4. Use the kinit command to confirm that the Kerberos configuration works as intended. Try to obtain a
ticket for the Kerberos login; you can verify success using the klist command. Use kdestroy to release the
ticket when you have verified the configuration.
NOTES
When adding an exacqVision server with an Enterprise license configured on the AD domain, you
cannot configure an AD account as passthrough. AD accounts must manually log in every time.
For each exacqVision server you intend to connect to with a user principal instead of an exacqVision
user name, you must add the exacqVision server’s FQDN to your /etc/hosts file, and it must be the
first name listed for that IP address. Otherwise, you will receive Kerberos failures.