Results 1 to 1 of 1

Thread: How to Authenticate Non-Windows AIS Server Users with Microsoft ActiveDirectory

  1. #1
    Yossi Shitrit is offline US Technical Team
    Join Date
    Sep 2006
    Rep Power

    How to Authenticate Non-Windows AIS Server Users with Microsoft ActiveDirectory

    The Problem:
    AIS servers authenticate users based on the local operating system user accounts. Sometimes, an organization that has non-Windows AIS servers (e.g., on Linux, mainframe, etc.) wishes to authorize access to such servers based not on the local operating system but instead on Microsoft Active Directory users or groups.

    For a Windows-based AIS server this is simple: the daemon's workspace-users attribute can specify valid AD user names or group names which will be allowed to request a server of that workspace. For non-Windows AIS servers, a different approach is needed.

    Lets assume, for example, that you have a non-windows machine, say a Linux, running a secured AIS Server. Only a specific Linux user, linuxusr1, is allowed to connect to the desired AIS workspace on that machine (providing a password, "somePa55word").

    The Solution:
    The solution requires setting up an AIS server on a Windows box to act as a "proxy" to the target AIS server. A workspace is defined which limits access to just the desired AD users and groups (for example, "moe.jones,goe.jomes"). In that workspace, a data source shortcut is added pointing to the target data source on the target AIS server. In addition, the credentials for access the target machine (linuxusr1/somePa55word) are stored in the special "DEFAULT" AIS user profile on the Windows box.

    The special user profile "DEFAULT" on the Windows AIS server is used when a client connects with a valid OS username for which there is no user profile defined in AIS. In this case, goe.jomes will connect and will be validated against AD but since that user does not have a dedicated AIS user profile, it will get to use the "DEFAULT" user profile which contains the credentials for accessing the target machine. Note that the special user profile "NAV" cannot (and should not) be used in this case because this user profile is used only when the client connects anonymously.

    With this setup, an AIS client (ODBC, JDBC, OLEDB, ADO.NET) will need to provide the correct AD username and password and will be able to access the target data source on the target machine (Linux in this example) indirectly using the fix target machine credentials.

    Here is how to set it up:
    • You need to have a workspace on the Windows AIS server that can be used to connect to the shortcut.
    • Edit this workspace to not allow anonymous access and add all of the specific windows users to the workspace users.
    • On the Windows AIS, create a new user profile with the name: DEFAULT
    • Add to this DEFAULT profile a machine authenticator for the remote-machine alias used in by the shortcut and provide the Linux username, linuxusr1, and its password.

    In case the Linux data source (that the shortcut points to) requires database username and password, you need to add a data source authenticator on the Linux AIS to a DEFAULT profile or the Linux user profile (linuxusr1) if exist.
    Last edited by DrorHarari; 07-11-2012 at 09:11 AM.
    To Find Out more About Attunity Technology:
    Contact Us

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts