On January 27th, this site will be read-only as we migrate to Oracle Forums for an improved community experience. You will not be able to initiate activity until January 30th, when you will be able to use this site as normal.

    Forum Stats

  • 3,889,564 Users
  • 2,269,760 Discussions
  • 7,916,781 Comments

Discussions

Inherited assigned applications in OSGD 5.4 not shown

mvlonden
mvlonden Member Posts: 20 Blue Ribbon
edited Oct 31, 2018 11:35AM in Secure Global Desktop

In OSGD 5.4 I use LDAP as authentication method. One (default) application is assigned to the LDAP profile for all users, but some users also have rights to other applications. But when these users logs in only the assigned application bound the LDAP profile is shown.

I don't have this issue with our OSGD 5.2 server with third party authentication with the same setup.

What am I doing wrong?

Jan-Oracle

Best Answer

  • mvlonden
    mvlonden Member Posts: 20 Blue Ribbon
    edited Oct 31, 2018 11:34AM Answer ✓

    Oracle Support found the solution:

    In order to map an AD account to an ENS account you must create the AD structure for that account:

    Find the user in AD and open the properties of that user, go to Attribute Editor, find distinguishedName and use this string to create the AD structure and account name: CN=Doe\, John,OU=Domain Admins,OU=ICT,DC=RTVmedia,DC=org

    Remove the backslash in the account name in the admin console!!!!

    Because we still have two AD domains, I had to create two AD structures in the admin console. The login name is <Login Name>@&lt;domain name>

    This also means that I have to service objects (one for each domain) and /etc/krb5.conf is configured for both domains.

    The domain is domain.com and has an OU called Users, with the user Doe, John (jdoe01). In our AD we create users with display names as follows: Lastname, Firstname.

    In the admin console you create this as follows:

    pastedImage_0.png

    pastedImage_1.png

    All users which are not created in admin console get the assigned application from the LDAP User profile. AD users which are created in the admin console now can get extra or different assigned applications.

    Furthermore I limited access based on AD security group membership:

    ./tarantella config edit --com.sco.tta.server.login.DSLoginFilter.properties-loginGroups "cn=SecureGlobalDesktop,ou=Groups,dc=Domain,dc=com"

    Beware that the default LDAP cache is set to 20 minutes, so when adding or removing a user to the security group access or no access does not work instantly.

    You can speed up this process by clearing the cache:  ./tarantella cache --flush all

    Hope that this might help others with the same issue.

    Kind regards,

    Michael

    Jan-Oracle

Answers

  • Jan-Oracle
    Jan-Oracle Senior Product Manager USMember Posts: 122 Employee
    edited Oct 3, 2018 5:49PM

    When a user has their own profile assigned, they do not inherit anything from the default profile. If there are defaults you want to apply/inherit you need to add those applications to the parent Directory structure where you added the user profiles. For example, I added user profiles under o=organization

    [[email protected] ~]$ tarantella object list_attributes --name o=organization

    Attributes for .../_ens/o=organization:

    Organization: organization

    cdm: alldrives:rw

    clipboard: 2

    customlaunchcontrols: forceauthentication=on

    editprofile: 2

    links: o=applications/cn=!Welcome

    objectclass: organization,scottaauxorganization,top

    orgxrandr: 2

    serialport: 2

    webtop: sco/tta/standard

    [[email protected] ~]$ tarantella object add_link --name o=organization --link o=applications/cn=Firefox

    and make sure the desired profiles under o=organization have the inherit flag set

    [[email protected] ~]$ tarantella object list_attributes --name "o=organization/cn=clientcert/cn=PIVKey 246864C91046A1409C3BAE044287D899" --inherit

    Attributes for .../_ens/o=organization/cn=clientcert/cn=PIVKey 246864C91046A1409C3BAE044287D899:

    inherit: 1

  • mvlonden
    mvlonden Member Posts: 20 Blue Ribbon
    edited Oct 11, 2018 5:54AM

    Hi Jan,

    The setup in SGD5.2 , which I want to use again in SGD5.4 only with 3rd party authentication, works, but for some reason it does not work in SGD5.4. The new SGD5.4 needs to work with AD/LDAP authentication.

    For the test I installed SGD5.4 (with all available patches) again with only Unix user authentication. This is the setup:

    - Two users, user01 and user02

    - Two applications, Desktop and Powergold

    Under organization I created a directory Powergold, with no inheritance, and one application Powergold.

    Under Powergold I created the user user02, who inherits the application Powergold from the directory Powergold.

    The system object Unix User profile only has one application, Desktop. All preconfigured applications are removed.

    In the admin console I did not create user01, so user01 (who matches the Unix user profile) only gets Desktop as application.

    When user02 logs in, this user only (should) gets the application Powergold and with SGD5.4 that does not works anymore. It does work with SGD5.2. I also tested this with SGD5.3 and with SGD5.3 is does not work also.

    In SGD 5.4 when user02 logs in, this user gets Desktop as (only) application.

    [[email protected] bin]# ./tarantella object list_attributes --name o=organization/ou=Powergold

    Attributes for.../_ens/o=organization/ou=Powergold:

    Organizational Unit: Powergold

    clipboard: 2

    editprofile: 2

    inherit: 0

    links: o=applications/cn=Powergold

    objectclass:
    organizationalunit,scottaauxorganizationalunit,top

    orgxrandr: 2

    serialport: 2

    webtop: ..

    [[email protected] bin]# ./tarantella object list_attributes --name o=organization/ou=Powergold/cn=user02

    Attributes for.../_ens/o=organization/ou=Powergold/cn=user02:

    Name: user02

    bandwidth: 0

    clipboard: 2

    editprofile: 2

    enabled: 1

    inherit: 1

    objectclass:
    inetorgperson,scottaauxperson,organizationalperson,person,top

    orgxrandr: 2

    serialport: 2

    shared: 0

    surname: Surname

    webtop: ..

    SGD5.4 setup-page-001.jpgSGD5.4 setup-page-002.jpgSGD5.4 setup-page-003.jpgSGD5.4 setup-page-004.jpg

  • mvlonden
    mvlonden Member Posts: 20 Blue Ribbon
    edited Oct 11, 2018 6:52AM

    Come to think of it, inheritance is not the issue, matching the user against the right repository is.

    By default an user is matched against a certain system user profile, depending on the authentication method, but when that same user is also created in the admin console that user has additional or different rights (applications).

    So depending on the match and inheritance this user should get additional applications plus the default which is assigned to the system user profile or organisation. Or the user should only get the application which is assigned to the OU which the user is member of.

    The trick now is, how do I achieve this.

  • Jan-Oracle
    Jan-Oracle Senior Product Manager USMember Posts: 122 Employee
    edited Oct 12, 2018 7:13PM

    Did you make sure the proper config setting is active? For example, if we were to use third-party login

    tarantella config list | grep login-thirdparty

    login-thirdparty-ens: 1          # this determines if the identity should be matched in ens

    login-thirdparty-nonens: 1     # weather to allow login without matching ens entry

    login-thirdparty: 1                   # enable thirdparty

    Similar settings exist for LDAP. It seems you might not have told SGD to actually match the LDAP user with the local ens user.

  • mvlonden
    mvlonden Member Posts: 20 Blue Ribbon
    edited Oct 13, 2018 8:55AM

    Thank you Jan, you might have pointed me in the right direction.

    I think when I look at the possible login commands that AD is not possible, but LDAP is.

    Only LDAP has the "Use Closest Matching LDAP Profile", not AD.

    This attribute specifies a search method used bySGD to determine the identity and user profile of a user who has been authenticated by a third-party authentication mechanism.
    This search method searches for the user identity in an LDAPrepository and then uses the closest matching user profile in the local repository, allowing for differences between the LDAP and SGD naming systems.
    SGD searches for the following until a match is found:

    •A user profile with the same name as the LDAP person object.
    For example, if the LDAP person object is cn=EmmaRald,cn=Sales,dc=example,dc=com, SGDsearches the local repository for dc=com/dc=example/cn=Sales/cn=Emma Rald.

    •A user profile in the same organizational unit as the LDAP person object but with the name cn=LDAPProfile.
    For example, dc=com/dc=example/cn=Sales/cn=LDAPProfile.

    •A user profile in any parent organizational unit with thename cn=LDAP Profile.
    For example, dc=com/dc=example/cn=LDAPProfile.

    •If there is no match, the profile object SystemObjects/LDAP Profile is used for the user profile.

    If additional search methods are selected, the search methods are used in the order shown. However, third-party authentication does not support ambiguous users and so the first match found is used.
    If the searches do not produce a match, the standard login page is displayed and the user must log in to SGD in the normal way.

    --login-ldap-thirdparty-ens 1

    So I going remove the AD config and setup a LDAP config and test.

  • mvlonden
    mvlonden Member Posts: 20 Blue Ribbon
    edited Oct 31, 2018 11:34AM Answer ✓

    Oracle Support found the solution:

    In order to map an AD account to an ENS account you must create the AD structure for that account:

    Find the user in AD and open the properties of that user, go to Attribute Editor, find distinguishedName and use this string to create the AD structure and account name: CN=Doe\, John,OU=Domain Admins,OU=ICT,DC=RTVmedia,DC=org

    Remove the backslash in the account name in the admin console!!!!

    Because we still have two AD domains, I had to create two AD structures in the admin console. The login name is <Login Name>@&lt;domain name>

    This also means that I have to service objects (one for each domain) and /etc/krb5.conf is configured for both domains.

    The domain is domain.com and has an OU called Users, with the user Doe, John (jdoe01). In our AD we create users with display names as follows: Lastname, Firstname.

    In the admin console you create this as follows:

    pastedImage_0.png

    pastedImage_1.png

    All users which are not created in admin console get the assigned application from the LDAP User profile. AD users which are created in the admin console now can get extra or different assigned applications.

    Furthermore I limited access based on AD security group membership:

    ./tarantella config edit --com.sco.tta.server.login.DSLoginFilter.properties-loginGroups "cn=SecureGlobalDesktop,ou=Groups,dc=Domain,dc=com"

    Beware that the default LDAP cache is set to 20 minutes, so when adding or removing a user to the security group access or no access does not work instantly.

    You can speed up this process by clearing the cache:  ./tarantella cache --flush all

    Hope that this might help others with the same issue.

    Kind regards,

    Michael

    Jan-Oracle
This discussion has been closed.