C1. Active Directory Authentication

Top  Previous  Next

Only enabling of using authentication method and the order in authenticators list are configured: in the <enabled/> and <order/> tags of the auth-ads.xml configuration file.

Operation principle:

1.Administrator specifies username and password in one of the following formats:

username,

domain\username,

username@domain,

user's LDAP DN.

2.Server registers with these name and password at the default domain controller (or at the domain controller which specified in the username).

3.If registration failed, transition to the next authentication mechanism is performed.

4.LDAP DN of registered user is determined.

5.For the object with determined DN, the DrWebAdmin attribute is read. If it has FALSE value, authentication is admitted failed and transition to the next authentication mechanism is performed.

6.If any of attributes are not defined at this stage, they are searched in groups to which the user is included to. For each group, its parental groups are checked (search strategy—inward).

If any error occurs, transition to the next authentication mechanism is performed.

The drweb-esuite-modify-ad-schema-xxxxxxxxxххххх-windows-nt-xYY.exe utility (is included to the Server distribution kit) creates in Active Directory the DrWebEnterpriseUser new object class and defines new attributes for this class.

Attributes have the following OID in the Enterprise space:

#define DrWeb_enterprise_OID      "1.3.6.1.4.1"                           // iso.org.dod.internet.private.enterprise
#define DrWeb_DrWeb_OID           DrWeb_enterprise_OID      ".29690"     // DrWeb
#define DrWeb_EnterpriseSuite_OID DrWeb_DrWeb_OID           ".1"         // EnterpriseSuite
#define DrWeb_Alerts_OID          DrWeb_EnterpriseSuite_OID ".1"         // Alerts
#define DrWeb_Vars_OID            DrWeb_EnterpriseSuite_OID ".2"         // Vars
#define DrWeb_AdminAttrs_OID      DrWeb_EnterpriseSuite_OID ".3"         // AdminAttrs
 
// 1.3.6.1.4.1.29690.1.3.1 (AKA iso.org.dod.internet.private.enterprise.DrWeb.EnterpriseSuite.AdminAttrs.Admin)
 
#define DrWeb_Admin_OID           DrWeb_AdminAttrs_OID      ".1"         // R/W admin
#define DrWeb_AdminReadOnly_OID   DrWeb_AdminAttrs_OID      ".2"         // R/O admin
#define DrWeb_AdminGroupOnly_OID  DrWeb_AdminAttrs_OID      ".3"         // Group admin
#define DrWeb_AdminGroup_OID      DrWeb_AdminAttrs_OID      ".4"         // Admin's group
#define DrWeb_Admin_AttrName             "DrWebAdmin"
#define DrWeb_AdminReadOnly_AttrName     "DrWebAdminReadOnly"
#define DrWeb_AdminGroupOnly_AttrName    "DrWebAdminGroupOnly"
#define DrWeb_AdminGroup_AttrName        "DrWebAdminGroup"

Editing settings of Active Directory users is implemented manually at the Active Directory server (see Administrator Manual, p. Authentication of Administrators).

Assigning permissions to administrators performs according to the general principle of inheriting in the hierarchical structure of groups in which administrator is included.