Only enabling of using authentication method and the order in authenticators list are configured: in the <enabled/> and <order/> tags of the auth-ads.conf configuration file.
Operation principle:
1.Administrator specifies username and password in one of the following formats:
•username,
•domain\username,
•username@domain,
•user's LDAP DN.
2.Server registers with these name and password at the default domain controller (or at the domain controller which specified in the username).
3.If registration failed, transition to the next authentication mechanism is performed.
4.LDAP DN of registered user is determined.
5.For the object with determined DN, the DrWebAdmin attribute is read. If it has FALSE value, authentication is admitted failed and transition to the next authentication mechanism is performed.
6.If any of attributes are not defined at this stage, they are searched in groups to which the user is included to. For each group, its parental groups are checked (search strategy—inward).
|
If any error occurs, transition to the next authentication mechanism is performed. |
The drweb-11.00.2-<build>-esuite-modify-ad-schema-<OS_version>.exe utility (is included to the Server distribution kit) creates in Active Directory the DrWebEnterpriseUser new object class and defines new attributes for this class.
Attributes have the following OID in the Enterprise space:
#define DrWeb_enterprise_OID "1.3.6.1.4.1" // iso.org.dod.internet.private.enterprise |
Editing settings of Active Directory users is implemented manually at the Active Directory server (see Administrator Manual, p. Authentication of Administrators).
Assigning permissions to administrators performs according to the general principle of inheriting in the hierarchical structure of groups in which administrator is included.