This article lays out the steps for synchronizing passwords from Microsoft Active Directory into Fox Technologies BoKS using the Active Directory Bridge. Synchronizing passwords into ServerControl allows a user to authenticate and be granted access to UNIX and Linux resources even if they have not logged in to Active Directory.
The integration of Active Directory Bridge with Active Directory allows ServerControl to take advantage of the Kerberos ticket that a user receives when logging into Active Directory. Since the user is identified then issued a Kerberos ticket the Kerberos ticket becomes a valid authentication method for identifying the user prior to granting them access to resources. The Kerberos ticket is the default authentication method with Active Directory Bridge. The inclusion of password synchronization extends the ability to authenticate a user without a Kerberos ticket.
This document assumes that Active Directory Bridge has been deployed. The first part outlines the steps for enabling password use in ServerControl. The second section of the document outlines the steps for setting up Active Directory to send the passwords. The third section reviews the configuration steps for ServerControl to receive the passwords.
Section 1: Enabling password use with Active Directory Bridge
The Active Directory Bridge component of ServerControl uses Kerberos as the default authentication method. To enable password use by users imported through AD Bridge, the ‘Must Use’ authentication requirement needs to be turned off.
The Kerberos ‘Must use’ requirement of AD Bridge can be disabled in the FoxT Control Center (FCC) console under the ‘Domain’ tab in the ‘Active Directory synchronization’ section by selecting ‘off’ for the ‘Set authentication to “Must use”’ section.
AD Bridge users that have already been imported may already have Kerberos authentication set to ‘Mandatory’. This can be determined in FCC by looking at the ‘Authenticators’ section in the user's profile. It can also be determined and turned off at the command line on the BoKS ServerControl Master server. Log in to the Master server and enter the following commands (in bold):
# /opt/boksm/sbin/boksadm -S
BoKS # authadm list
User Type Must Use Comment
UNIX_SERVERS:kelli Kerberos Yes
BoKS# authadm mod -u UNIX_SERVERS:kelli -t kerberos –M
BoKS # authadm list
User Type Must Use Comment
UNIX_SERVERS:kelli Kerberos No
Section 2: Configuring Microsoft Active Directory
Step 1: Windows to UNIX communications
Setting up password synchronization between Active Directory and a UNIX/Linux server requires that the Active Directory 'Role Service' for 'Identity Management for UNIX' is installed in Active Directory. This was a requirement for setting up Active Directory Bridge and so it is assumed that it is already enabled. The ‘Identity Management for UNIX’ Role Service provides options for setting the communications channel between the Windows and UNIX servers. It also provides the ability to set identification numbers (UID /GID) required by the UNIX servers. These options are configured at different locations in the Active Directory tree structure.
With 'Identity Management for UNIX' enabled, the first set of options for configuring the communications channel between the Active Directory Domain Controller and UNIX server are displayed in the ‘Server Manager’ sub-tree appearing under 'Active Directory Domain Services' -> ‘Microsoft Identity Management for UNIX’. 'Password Synchronization' is the first choice under ‘Microsoft Identity Management for UNIX’.
Right click 'Password Synchronization' and choose 'Properties' to bring up a configuration screen. The General tab screen provides a checkbox option to direct password synchronization from ‘Windows to UNIX’, ‘UNIX to Windows’ or both directions. Check the ‘Windows to UNIX’ checkbox.
It also provides an option to generate a new key for setting up the encrypted communications channel to the UNIX server. Generating a new key at the ‘Password Synchronization’ configuration screen replaces the default key through the remainder of the tree. Generate a new key by clicking 'Generate Key', ‘Apply’ and ‘OK’.
The next level down in the ‘Server Manager’ tree structure defines the UNIX hosts for password synchronization under ‘UNIX-based Computers’. Right-click 'UNIX-based Computers' and select the option for 'Add Computer'. Add the host name of the BoKS ServerControl Master server. Either the short name or fully qualified domain name can be used so long as it resolves through DNS. Only the BoKS Master server needs to be configured for password management with ServerControl. Once the BoKS Master server is added, ServerControl will handle password synchronization to all the UNIX/Linux servers being managed by the BoKS Master. Select ‘Synchronize password changes to this computer’ and do not generate a new key here as it was generated in a previous step. Keep the default Port number 6677.
Step 2: Configure a security group that is allowed to push passwords outside of Active Directory
The second configuration step required by Active Directory is the creation of a Security Group called 'PasswordPropAllow'. Locate the 'PasswordPropAllow' Security Group under the 'Users' Organization Unit below the ‘Active Directory Users and Computers’ domain tree.
Right-click the 'Users' organizational unit.
Select the option for 'New -> Group'.
Define the ‘Group name’ specifically as: PasswordPropAllow.
By default, the groups created are 'Global' groups but the 'PasswordPropAllow' needs to be defined as 'Domain local'.
Select the option buttons for Group scope 'Domain local' and Group Type 'Security'.
Only users who are members of the ‘PasswordPropAllow’ group are allowed to synchronize their passwords outside of AD. The final step required is to associate users as members of the Active Direectory ‘PasswordPropAllow’ security group.
Right-click the user(s) and make them members of the ‘PasswordPropAllow’ security group.
As a reminder, the UNIX attributes for these users are required as well. This was a requirement for implementation of Active Directory Bridge. If new users are being created for testing, don’t forget to set their UNIX attributes. The ‘UNIX Attributes’ tab was added to the user's Properties page when the ‘Identity Management for UNIX’ role service was enabled. To set a user's UNIX attributes, right-click the user, select Properties and add the attributes the same as you would for any user being imported through AD Bridge.
Section 3: Configuring Fox Technologies BoKS ServerControl
Step 1: Activating password synchronization on the BoKS ServerControl Master
There are two configuration steps required to enable the transfer of passwords to the ServerControl Master server. The first is to enable password synchronization and the second is to define from where the passwords will be accepted.
Password synchronization is enabled by setting the ADPSWSYNCD variable within the UNIX/Linux Master’s ENV configuration file to an ‘on’ value. This can be done from the command line by editing the file. The default location for the ENV file is in the /etc/opt/boksm directory.
# vi /etc/opt/boksm/ENV
Save and Exit
Step 2: Define the AD Domain Controller from which to receive passwords.
The second configuration file to edit is ‘adpswsyncd.cfg’. This file defines the host that BoKS ServerControl will allow to update passwords in the ServerControl database. The default location for the adpswsync.cfg file is /etc/opt/boksm/pswsync.
# vi /etc/opt/boksm/pswsyncd/adpswsyncd.cfg
The values that need to be defined in the ‘adpswsyncd.cfg’ file are the encryption key that was generated on the Windows Domain Controller, the IP address of the Domain Controller and the name of the Windows domain. The domain name must be entered in upper case.
After the configuration files have been modified, the BoKS ServerControl environment needs to be rebooted to read in the new parameters.
# /opt/boksm/sbin/boksadm –S
Reminder: If there is a firewall running on the BoKS ServerControl Master server then a firewall rule may be required to allow traffic through on port 6677.
Section 4: Validate the password synchronization process
The user needs to reset their password in order to trigger the synchronization from the AD Domain Controller to BoKS ServerControl. For testing purposes, the user's password can be reset from the Server Manager console on the AD Domain Controller. Right-click the test user's name and select the fourth option from the top of the list (Reset Password).
Resetting the user's password should generate a message in the Audit logs in BoKS ServerControl.
Additionally, the “Invalid password” message will be removed from the users profile - you can check this in FCC.
At this point, Access Routes can be created in BoKS ServerControl that use the user's password as well as the Kerberos ticket.
Still have questions? We can help. Submit a case to Technical Support.