To connect to the Enterprise Server, administrator can authenticate by the following ways:
1.With storing administrative account information in the Server DB.
2.Via the Active Directory (for Servers under Windows OS).
3.Via the LDAP protocol.
4.Via the RADIUS protocol.
Authentication methods are used sequentially according to the following rules:
1.The order of authentication methods usage depends on the order of their following in the settings, specified in the Control Center.
2.Authentication of administrator from the Server DB is always tried first.
3.By default, LDAP authentication is used by the second, via the Active Directory - the third, via the RADIUS - the fourth.
4.Authentication methods via LDAP, Active Directory and RADIUS can be swapped in the Server settings, but authentication of administrator from the Server DB is always used first.
5.Authentication methods via LDAP, Active Directory and RADIUS are disabled by default.
To swap the usage of authentication methods:
1.Select Administration in the main menu of the Control Center.
2.Select Authorization in the control menu.
3.In the opened window, list of authentications types is represented in the order of use. To change this order, click the arrow on the left of authentication type name. Corresponding authentication methods will be switched.
Authentication of Administrators from the Server DB
Authentication method with storing administrative account information in the Server DB is used by default.
To manage administrators list:
1.Select Administration in the main menu of the Control Center.
2.Select Administrative accounts in the control menu. The list of all administrators registered in the DB will be opened.
See the Management of Administrative Accounts section for details.
Active Directory Authentication
To enable Active Directory authentication:
1.Select Administration in the main menu of the Control Center.
2.Select Authorization in the control menu.
3.In the opened window, select Microsoft Active Directory section.
4.Set the Use Microsoft Active Directory authorization flag.
5.Click Save.
For Active Directory authentication, only enabling of using this authentication method is configured in Control Center.
You must edit Active Directory administrators' settings manually at the Active Directory server.
To edit Active Directory administrators:
|
The following operation must be carried out from a computer with Active Directory Service snap-in. |
1.To enable editing of administrator parameters, do the following:
a)Modify Active Directory scheme with the drwschema-modify.exe utility (is included in the Enterprise Server distribution kit). Modification may take some time. Note that depending on the domain configuration, it may take up to 5 minutes and more to synchronize and apply the modified scheme.
b)Register Active Directory Schema snap-in, execute the regsvr32 schmmgmt.dll command with the administrative privileges, then run mmc and add the Active Directory Schema snap-in.
c)Using the Active Directory Schema snap-in, add the auxiliary DrWebEnterpriseUser class to the User and (if necessary) Group classes.
|
If the scheme modification and application process has not finished, the DrWebEnterpriseUser class may be not found. In this case, wait for a few minutes and retry to add the class as described in c) step. |
d)With the administrative privileges run the drweb-esuite-aduac-600-xxxxxxxxx-windows-nt-xYY.msi file (is included in the Enterprise Security Suite 6.0.4 distribution kit) and wait until the installation finishes.
2.Visual editing of attributes is available from the Active Directory Users and Computers control panel → Users section → in the Administrator Properties window for editing settings of selected user → on the Dr.Web Authentication tab.
3.The following parameters are available for editing (yes, no or not set values can be set for each attribute):
◆User is administrator indicates that the user is full-rights administrator.
◆User is read-only administrator indicates that the user is administrator with read-only rights.
If the yes value is set for the User is administrator parameter only, the user is full-rights administrator.
If the yes value is set for both User is administrator and User is read-only administrator parameters, the user is administrator with read-only rights.
◆Inherit permissions from groups parameter allows inheriting of the rest parameters values from the user groups. If any parameter (or several parameters) has not set value and the Inherit permissions from groups parameter is set to yes, values of not specified parameters are inherited from the user groups.
|
Algorithms of operating principles and attributes handling during authorization are described in the Appendix O. |
LDAP Authentication
To enable LDAP authentication:
1.Select Administration in the main menu of the Control Center.
2.Select Authorization in the control menu.
3.In the opened window, select LDAP authorization section.
4.Set the Use LDAP authorization flag.
5.Click Save.
You can configure authorization using LDAP protocol at any LDAP server. Also you can use this mechanizm to configure the Server under UNIX system-based OS for authorization in Active Directory on a domain controller.
|
Settings of LDAP authorization are stored in the auth-ldap.xml configuration file. General xml attributes are described in the Appendix O. |
Unlike to Active Directory, this mechanizm can be configures to any LDAP scheme. By default Server attributes are used as they were defined for Active Directory.
LDAP authorization process can be presented as the following:
1.LDAP server address is specified via the Control Center or xml configuration file.
2.For the specified user name, the following actions are performed:
◆Translation of name to the DN (Distinguished Name) using DOS-like masks (with * symbol), if rules are specified.
◆Translation of name to the DN using regular expressions, if rules are specified.
◆Custom script for translation of name to the DN is used, if it is specified in settings.
◆If matches in translation rules are not found, specified name is used as it is.
|
Format of user names specifying is not predefined and not fixed - it can be any as it is accepted in the company, i.e. forced modification of LDAP scheme is not demanded. Translation according given scheme is performed using rules of translation of names to LDAP DN. |
3.After translation, like for the Active Directory, attempt of the user registration at the specified LDAP server using determined DN and specified password is performed.
4.After this, like for the Active Directory, LDAP object attributes are read for the determined DN. Attributes and their possible values can be redefined in the configuration file.
5.If undefined values of administrator attributes are found, and inheriting is specified (in the configuration file), the search of needed attributes in the user groups is the same as in the Active Directory.