C1. Active Directory Authentication

Only enabling of using authentication method and the order in authenticators list are configured: in the <enabled/> and <order/> tags of the auth-ads.conf configuration file.

Operation principle:

1.Administrator specifies username and password in one of the following formats:

username,

domain\username,

username@domain,

user's LDAP DN.

2.Dr.Web Server registers with these name and password at the default domain controller (or at the domain controller which specified in the username).

3.If registration failed, transition to the next authentication mechanism is performed.

4.LDAP DN of registered user is determined.

5.For the object with determined DN, the DrWebAdmin attribute is read. If it has FALSE value, authentication is admitted failed and transition to the next authentication mechanism is performed.

6.If any of attributes are not defined at this stage, they are searched in groups to which the user is included to. For each group, its parental groups are checked (search strategy—inward).

info

If any error occurs, transition to the next authentication mechanism is performed.

The drweb-13.00.0-<build>-esuite-modify-ad-schema-<OS_version>.exe utility (is included to the Dr.Web Server distribution kit) creates in Active Directory the DrWebEnterpriseUser new object class and defines new attributes for this class.

Attributes have the following OID in the Enterprise space:

DrWeb_enterprise_OID "1.3.6.1.4.1" // iso.org.dod.internet.private.enterprise
DrWeb_DrWeb_OID DrWeb_enterprise_OID ".29690" // DrWeb
DrWeb_EnterpriseSuite_OID DrWeb_DrWeb_OID ".1" // EnterpriseSuite
DrWeb_Alerts_OID DrWeb_EnterpriseSuite_OID ".1" // Alerts
DrWeb_Vars_OID DrWeb_EnterpriseSuite_OID ".2" // Vars
DrWeb_AdminAttrs_OID DrWeb_EnterpriseSuite_OID ".3" // AdminAttrs
 
// 1.3.6.1.4.1.29690.1.3.1 (AKA iso.org.dod.internet.private.enterprise.DrWeb.EnterpriseSuite.AdminAttrs.Admin)
 
DrWeb_Admin_OID DrWeb_AdminAttrs_OID ".1" // R/W admin
DrWeb_AdminReadOnly_OID DrWeb_AdminAttrs_OID ".2" // R/O admin
DrWeb_AdminGroupOnly_OID DrWeb_AdminAttrs_OID ".3" // Group admin
DrWeb_AdminGroup_OID DrWeb_AdminAttrs_OID ".4" // Admin's group
DrWeb_Admin_AttrName "DrWebAdmin"
DrWeb_AdminReadOnly_AttrName "DrWebAdminReadOnly"
DrWeb_AdminGroupOnly_AttrName "DrWebAdminGroupOnly"
DrWeb_AdminGroup_AttrName "DrWebAdminGroup"

Editing settings of Active Directory users is implemented manually at the Active Directory server (see Administrator Manual, p. Authentication of Administrators).

Assigning permissions to administrators performs according to the general principle of inheriting in the hierarchical structure of groups in which administrator is included.