Active directory auth service

Requires EVA ICS Enterprise.

Active directory user authentication service, see Authentication, authorization and accounting for more details.

Setup

Use the template EVA_DIR/share/svc-tpl/svc-tpl-aaa-msad.yml:

# Active directory authentication service
command: svc/eva-aaa-msad
bus:
  path: var/bus.ipc
config:
  ## ACL service
  acl_svc: eva.aaa.acl
  ## OTP service
  #otp_svc: eva.aaa.otp
  ## domain=ad_host, e.g. mydomain.com: ad.mydomain.com (or IP)
  #hosts:
  #  mydomain.com: ad.mydomain.com
  #  mydonain2.com: 1.2.3.4
  ## optional default domain, if no domain specified in user name
  #default_domain: mydomain.com
  ## optional default domain controller host/ip
  #default_host: ad.mydomain.com
  ## organization unit (default is EVA)
  #ou: EVA
  ## optional ACL prefix
  #acl_prefix: "msad_"
  #tls: true
  #no_tls_verify: false
  ## cache entries and use the cache if ad is unavailable
  #cache_time: 86400
  ## if cached entry exists - use it before ad authentication
  #cache_first: false
user: eva

Create the service using eva-shell:

eva svc create eva.aaa.msad /opt/eva4/share/svc-tpl/svc-tpl-aaa-msad.yml

or using the bus CLI client:

cd /opt/eva4
cat DEPLOY.yml | ./bin/yml2mp | \
    ./sbin/bus ./var/bus.ipc rpc call eva.core svc.deploy -

(see eva.core::svc.deploy for more info)

EAPI methods

See EAPI commons for the common information about the bus, types, errors and RPC calls.

auth.user

Description

Authenticates a client using Active Directory account

Parameters

required

Returns

The method returns errors if auth is not successful

Parameters

Name

Type

Description

Required

login

String

Account login

yes

password

String

Account password (plain text)

yes

timeout

f64

Max operation timeout

no

Active Directory configuration

Log into the Active Directory domain controller, open Active Directory Users and Computers and create an organizational unit (default - EVA)

create AD OU

Create security groups inside the organizational unit. Group names must match IDs of EVA ICS ACLs:

create AD group

Assign a security group to a domain user. If multiple security groups are assigned, a combined ACL is created. If the required ACL ID does not exist, authentications attempts are considered as failed, despite the user may have additional existing ACLs assigned.

Usage

Authentication

After OU security group is assigned to Active Directory user, its credentials can be immediately used for authentication in EVA ICS. It is not necessary to create a local user in local authentication services.

Users can authenticate themselves either with “login” or with “login@domain”.

If “default_domain” option is specified in the configuration, users can omit domains in their logins and the default domain is used for authentication.

Note

For cached credentials, “user” and “user@domain” are two different users. If such behavior leads to a logical confusion for 3rd party software or UI apps, disable “default_domain” option in the configuration.

If “default_domain” option is not specified, users MUST always specify a domain in their logins.

ACL prefixes

If acl_prefix is specified in the service configuration, it will look for ACL with id {acl_prefix}{AD security group}, e.g.

  • acl_prefix = msad_

  • user has assigned security group EVA/operator

  • EVA ICS ACL must have id msad_operator