MS Active Directory authentication

To authenticate EVA ICS users, Microsoft Active Directory can be used.

Active Directory support is not configured by default.

Automatic setup

eva feature setup msad host=192.168.1.15,domain=myorganization.com,key_prefix=msad_

Manual setup

System setup

Install LDAP and SASL2 development libraries

apt -y install libsasl2-dev libldap2-dev libssl-dev
# or for Fedora
yum install -y openldap-devel openssl-devel

Append easyad module to EVA ICS Python venv (/opt/eva/etc/venv) extras

EXTRA="easyad==1.0.9"

Rebuild EVA ICS venv

/opt/eva/install/build-venv

EVA ICS controller configuration

Put the following block in controller configuration (e.g. for SFA edit config/sfa/main registry key)

msad:
    host: ad.yourdomain.com
    domain: yourdomain.com
    key_prefix: ""
    ou: EVA
    #ca: /path/to/ca-file.crt
    # cache credentials for the specified time (seconds)
    # default: 86400 (1 day), 0 to disable caching
    #cache-time: 86400
    # try to authenticate the user against the cache before probing AD
    #cache-first: true

Host and domain should always be specified. Default key prefix is empty, default organizational unit is EVA. CA file is not used by default.

Restart the controller

eva sfa server restart

Configuring multiple domains

To authenticate users from multiple domains, set the “host” parameter as:

msad:
    host: domain1.com=ad.domain1.com,domain2.com=ad.domain2.com

Optional “domain” parameter can be used to specify the default domain.

Note

Multiple domains authentication can not be set up using “eva feature setup msad” command. Please edit controller configs directly.

Active Directory configuration

Log into Active Directory domain controller, open Active Directory Users and Computers and create organizational unit (default - EVA)

create AD OU

Create security groups inside organizational unit. Group name should match EVA ICS API key ID

create AD group

Assign security group to domain user. If multiple security groups are assigned, EVA ICS will use combined ACL. If API key with any required ID doesn’t exist, authentication attempt is considered as failed, despite user has more groups assigned.

Usage

Authentication

After OU security group is assigned to Active Directory user, its credentials can be immediately used for authentication in EVA ICS. It’s not necessary to create user in EVA ICS controller.

If user with the same login exists in EVA ICS controller, local user has higher priority. If the provided password doesn’t match local, the local record is ignored and attempt to authenticate via Active Directory is performed.

Users can authenticate either with “login” or with “login@domain”.

If “domain” parameter is specified in the configuration, users can omit domains in their logins and the default domain is used for authentication.

Note

For cached credentials and 3rd party plugins, “user” and “user@domain” are two different users. If such behavior leads to a logical confusion for 3rd party software or UI apps, disable “domain” parameter in the configuration.

If “domain” parameter is not specified, users MUST always specify a domain in their logins.

Key prefixes

if key_prefix is specified in the controller configuration file, EVA ICS will look for API key with id {key_prefix}{AD security group}, e.g.

  • key_prefix = msad_

  • user has assigned security group EVA/operator

  • EVA ICS controller API key should have id msad_operator