Appendix O. Procedures for Authentication of Administrators

Top  Previous  Next

 

General information on authentication of administrators at the Enterprise Server is described in p. Authentication of Administrators.

 

Active Directory Authentication

Only enabling of using authentication method and the order in authenticators list are configured: in the <enabled/> and <order/> tags of the auth-ads.xml configuration file.

Operation principle:

1.Administrator specifies username and password in one of the following formats:

username,

domain\username,

username@domain,

user's LDAP DN.

2.Server registers with these name and password at the default domain controller (or at the domain controller which specified in the username).

3.If registration failed, transition to the next authentication mechanizm is performed.

4.LDAP DN of registered user is determined.

5.For the object with determined DN, the DrWeb_Admin attribute is read. If it has FALSE value, authentication is admitted failed and transition to the next authentication mechanizm is performed.

6.The DrWeb_AdminReadOnly attribute is read. If it has TRUE value, administrator has read-only rights.

7.The DrWeb_AdminGroupOnly attribute is read. If it has TRUE value, administrator has rights to manage certain groups only.

8.The DrWeb_AdminGroup attribute is read. It must contain the list of groups for managing by this administrator.

9.If any of attributes are not defined at this stage, they are searched in groups to which the user is included to. For each group, its parental groups are checked (search strategy - inward).

 

If any error occurs, transition to the next authentication mechanizm is performed.

 

The drwschema-modify.exe utility (is included to the Server distribution kit) creates in Active Directory a new object class and defines new attributes for this class.

Attributes have the following OID in the Enterprise space:

#define DrWeb_enterprise_OID      "1.3.6.1.4.1"                           // iso.org.dod.internet.private.enterprise
#define DrWeb_DrWeb_OID           DrWeb_enterprise_OID      ".29690"     // DrWeb
#define DrWeb_EnterpriseSuite_OID DrWeb_DrWeb_OID           ".1"         // EnterpriseSuite
#define DrWeb_Alerts_OID          DrWeb_EnterpriseSuite_OID ".1"         // Alerts
#define DrWeb_Vars_OID            DrWeb_EnterpriseSuite_OID ".2"         // Vars
#define DrWeb_AdminAttrs_OID      DrWeb_EnterpriseSuite_OID ".3"         // AdminAttrs
 
// 1.3.6.1.4.1.29690.1.3.1 (AKA iso.org.dod.internet.private.enterprise.DrWeb.EnterpriseSuite.AdminAttrs.Admin)
 
#define DrWeb_Admin_OID           DrWeb_AdminAttrs_OID      ".1"         // R/W admin
#define DrWeb_AdminReadOnly_OID   DrWeb_AdminAttrs_OID      ".2"         // R/O admin
#define DrWeb_AdminGroupOnly_OID  DrWeb_AdminAttrs_OID      ".3"         // Group admin
#define DrWeb_AdminGroup_OID      DrWeb_AdminAttrs_OID      ".4"         // Admin's group
#define DrWeb_Admin_AttrName             "DrWebAdmin"
#define DrWeb_AdminReadOnly_AttrName     "DrWebAdminReadOnly"
#define DrWeb_AdminGroupOnly_AttrName    "DrWebAdminGroupOnly"
#define DrWeb_AdminGroup_AttrName        "DrWebAdminGroup"

Editing settings of Active Directory users is implemented manually at the Active Directory server (see p. Authentication of Administrators).

Algorithm of attributes handling during authorization is the following:

1.User attributes are read.

2.If the DrWebAdmin attribute is set to TRUE, when:

2.1.If some attributes are missing and the DrWebInheritPermissions attribute is set to TRUE, missing attributes are read from groups. As soon as all attributes are set, procedure of groups bypass stops. Thus, the sooner attributes are read, the bigger priority they have. Administrator access is confirmed.

2.2.If some attributes are missing and the DrWebInheritPermissions attribute is set to FALSE (or undefined), administrator access is forbidden.

2.3.If all attributes are set, administrator access is confirmed

3.If the DrWebAdmin attribute is set to FALSE, administrator access is forbidden.

4.If the DrWebAdmin attribute is undefined, when:

4.1.If the DrWebInheritPermissions attribute is set to TRUE, attributes from groups are read. Further, similar to step 2.

4.2.If the DrWebInheritPermissions attribute is set to FALSE (or undefined) similar to step 3.

LDAP Authentication

Settings are stored in the auth-ldap.xml configuration file.

General tags of the configuration file:

<enabled/> and <order/> - similar to the Active Directory.

<server/> specifies the LDAP server address.

<user-dn/> defines rules for translation of name to the DN (Distinguished Name) using DOS-like masks.

In the <user-dn/> tag, the following wildcard characters are allowed:

* replaces sequence of any characters, except . , = @ \ and spaces;

# replaces sequence of any characters.

<user-dn-expr/> defines rules for translation of name to the DN using regular expressions.

For example, the same rule in different variants:
<user-dn user="*@example.com" dn="CN=\1,DC=example,DC=com"/>
<user-dn-expr user="(.*)@example.com" dn="CN=\1,DC=example,DC=com"/>

\1 .. \9 defined the substitution place for values of the * symbol or expression in brackets at the template.

According to this principle, if the user name is specified as login@example.com, after translation you will get DN: "CN=login,DC=example,DC=com".

<user-dn-extension-enabled/> allows the ldap-user-dn-translate.ds (from the extensions folder) Lua-script execution for translation usernames to DN. This script runs after attempts of using the user-dn, user-dn-expr rules, if appropriate rule is not found. Script has one parameter - specified username. Script returns the string that contains DN or nothing. If appropriate rule is not found and script is disabled or returns nothing, specified username is used as it is.

Attributes of LDAP object for DN determined as a result of translation and their possible values can be defined by tags (default values are presented):

<!-- DrWebAdmin attribute equivalent (OID 1.3.6.1.4.1.29690.1.3.1) -->
<admin-attribute-name value="DrWebAdmin" true-value="^TRUE$" false-value="^FALSE$"/>
 
<!-- DrWebAdminGroupOnly attribute equivalent (OID 1.3.6.1.4.1.29690.1.3.2) -->
<readonly-admin-attribute-name value="DrWebAdminReadOnly" true-value="^TRUE$" false-value="^FALSE$"/>
 
<!-- DrWebAdminGroupOnly attribute equivalent (OID 1.3.6.1.4.1.29690.1.3.3) -->
<grouponly-admin-attribute-name value="DrWebAdminGroupOnly" true-value="^TRUE$" false-value="^FALSE$"/>
 
<!-- DrWebAdminGroup attribute equivalent (OID 1.3.6.1.4.1.29690.1.3.4) -->
<groups-admin-attribute-name value="DrWebAdminGroup"/>

As a values of true-value/false-value parameters, regular expressions are specified.

If undefined values of administrators attributes are present, and the <group-reference-attribute-name value="memberOf"/> tag is set in the configuration file, the value of the memberOf attribute is considered as the list of DN groups, to which this administrator is included, and the search of needed attributes is performed in this groups as for the Active Directory.