Retrieve Groups from LDAP using Kerberos on Linux

This section describes how to retrieve user and group information from an LDAP directory (Microsoft Active Directory in this example), using Kerberos, when OmniGroupServer is installed on Linux.

To retrieve security information from an LDAP directory

  1. Log on to the Windows Domain Controller and complete the following steps:

    1. Add a new user to the Active Directory (for example Domain\OGSUser).
    2. Generate a keytab file:

      ktpass -out ogsuser_domain.keytab
             -princ ogsuser/linux_ogs_host.domain@kerberos_realm
             -mapUser DOMAIN\ogsuser
             -mapOp set
             -pass P4ssw0rd!
             -crypto all
             -ptype KRB5_NT_PRINCIPAL
      NOTE:

      This command must be entered on one line.

    3. Move the .keytab file that is generated to the machine that hosts OmniGroupServer.
  2. On the machine that hosts OmniGroupServer, run kinit using the keytab file that you generated.

    kinit -k -t /path/to/ogsuser_domain.keytab -c /path/to/ogsuser_domain.krbcache ogsuser/linux_ogs_host.domain@kerberos_realm
  3. Open the OmniGroupServer configuration file.
  4. In the [Repositories] section, create a repository to store the LDAP groups. For example:

    [Repositories]
    Number=1
    0=LDAP
  5. Create a section to contain the task details and set the following configuration parameters:

    GroupServerLibrary The path (including the file name) to the library file that allows the group server to access the repository. Use the LDAP group server library, ogs_ldap.
    LDAPServer The host name or IP address of the machine that hosts the LDAP directory.
    LDAPPort The port to use to access the LDAP directory.
    LDAPBase The distinguished name of the search base.
    LDAPType The type of LDAP server (for example, MAD for Microsoft Active Directory).
    LDAPSecurityType The type of security to use when communicating with the LDAP server (for example, SSL or TLS).
    LDAPBindMethod The type of authentication to use to access the LDAP directory. Set this parameter to KERBEROS.

    For example:

    [Default]
    GroupServerStartTime=now
    GroupServerCycles=-1
    GroupServerRepeatSecs=86400
    GroupServerCaseInsensitive=TRUE
    GroupServerShowAlternativeNames=TRUE
    GroupServerMaxDatastoreQueue=100000
    
    [Repositories]
    ...
    GroupServerDefaultRepositories=LDAP
    0=LDAP
    
    [LDAP]
    GroupServerLibrary=ogs_ldap
    LDAPServer=ldap.mydomain.com
    LDAPPort=389
    LDAPBase=DC=mydomain,DC=com
    LDAPType=MAD
    LDAPBindMethod=KERBEROS

    For a complete list of configuration parameters that you can use, refer to the OmniGroupServer Reference.

  6. Save and close the OmniGroupServer configuration file.

  7. Run OmniGroupServer using the following command, replacing the paths with the correct paths for your system:

    KRB5CCNAME=FILE:/path/to/ogsuser_domain.krbcache KRB5_KTNAME=FILE:/path/to/ogsuser_domain.keytab nohup ./omnigroupserver.exe &

_HP_HTML5_bannerTitle.htm