This technical note outlines how Linux hosted ACE Management Server integrates with Active Directory, describes default installations, and outlines basic troubleshooting. To access LDAP, ACE uses the SASL authentication abstraction layer. To successfully complete a GSSAPI bind, ACE makes use of the MIT Kerberos5 library.
This technical note outlines how Linux hosted ACE Management Server integrates with Active Directory, describes default installations, and outlines basic troubleshooting. To access LDAP, ACE uses the SASL authentication abstraction layer. To successfully complete a GSSAPI bind, ACE makes use of the MIT Kerberos5 library.
This technical note outlines how Linux hosted ACE Management Server integrates with Active Directory, describes default installations, and outlines basic troubleshooting. To access LDAP, ACE uses the SASL authentication abstraction layer. To successfully complete a GSSAPI bind, ACE makes use of the MIT Kerberos5 library.
Copyright 2007 VMware, Inc. All rights reserved. 1
Integrating Linux Hosted ACE Management Server with Active Directory VMware ACE 2.0.1 ThistechnicalnoteoutlineshowLinuxhostedACEManagementServerintegrateswithActiveDirectory, describesdefaultinstallations,andoutlinesbasictroubleshooting. ThisdocumentappliestotheLinuxhostedACEManagementServers,whichuseRHEL4andthe debianbasedVirtualAppliancefromVMware. Implementation Overview ACEManagementServerusesLDAPtoqueryActiveDirectoryforuserandgroupinformation.Toaccess LDAP,ACEusestheSASLauthenticationabstractionlayer.Inparticular,ACEManagementServerusesthe GSSAPIauthenticationmethodwhenbindingtotheLDAPserver. TosuccessfullycompleteaGSSAPIbind,ACEManagementServermakesuseoftheMITKerberos5library. ACEManagementServerimplementsaKerberosclientthatauthenticatesuserstotheActiveDirectoryKey DistributionCenter(KDC).Kerberos5hasbeenapartofWindowsNTsinceWindows2000. ThedatapassedbytheLDAPprotocolisprotectedbyapplicationlayerencryptionbasedonthekeys exchangedbytheKerberosauthenticationprotocol. Ports in Use ACEManagementServerusesthefollowingportsdirectlywhenintegratedwithActiveDirectory: 389LDAPtraffic 88Kerberosauthenticationtraffic Indirectly,ACEManagementServeralsousesDNSservicesbydefault(duetofeaturesenabledintheKerberos library). Active Directory Integration Details DuringtheconfigurationphaseoftheACEManagementServer,theadministratorprovidesthefollowing information: LDAPserverhostnameThenetworkhostnameofthemachinethatisrunningyourLDAPservice(your domaincontroller).Forexample,ldap.vmware.com. QueryuserUPNTheaccountthatACEManagementServerusestologontotheLDAPservicetoquery foruserandgroupinformation.Theformatoftheusernameisuser@domain,otherwiseknownasuser Copyright 2007 VMware, Inc. All rights reserved. 2 Integrating Linux Hosted ACE Management Server with Active Directory
principalname.IntheLDAPservicetheattributefortheuserobjectiscalleduserPrincipalName.For example,ams@vmware.com. QueryuserpasswordThepasswordforthequeryuseraccount. DefaultdomainThenameofthedomaintousebydefault.Thisdefaultdomainisusedwhenusersdo notenterdomaininformationwhileloggingin.Theformatofthedomainnameisdotdelimited.For example,vmware.com. AdmingroupDNTheFQDNofthegrouptowhichACEadministratorsbelong.UserswhouseWSAE tocreateandmodifyACEsandinstancesmustbelongtothisgroup.TheformatoftheadmingroupDN isFQDN.Forexample,cn=AceAdministrators,cn=Users,dc=vmware,dc=com. ThisinformationisusedwhenACEauthenticatesusersandverifiesgroupmemberships. ACEManagementServerinteractionswithActiveDirectoryfallintoseveralcategories: AuthenticationofadministratorsinthewebconfigurationUI AuthenticationofadministratorsorhelpdeskpersonnelintheWebUI(HelpdeskWebapplication) AuthenticationofadministratorsintheWorkstationAceEditionapplication Authenticationofendusersintheplayerapplication Enablesproxychangeofpasswordrequestsusingtheplayerapplication Authentication of Users and Accessing the LDAP Service ACEManagementServerusestheMITKerberoslibraryfortwopurposes: Toauthenticateusercredentials TogainnecessarycredentialstocompleteaGSSAPIbindtotheLDAPservicewiththequeryuser specifiedduringconfiguration BothoftheseoperationsareidenticalexceptthatwhenyoudoanLDAPbind,youstoretheticketsthatare receivedfromtheKerberosserverafterasuccessfulauthenticationsothattheLDAPlibrarycanusethem. FortheKerberoslibrarytoperformanauthentication,yourLinuxACEManagementServerhostmachine mustbeabletoresolvecertainDNSqueries.Formoreinformation,readtheKerberosdocumentationincluded withyourLinuxdistribution. TheKDChostisresolvedthroughDNS.ThismeansthatyourDNSservermustresolvearequestforthe _kerberostcpserviceforthespecifieddomain(eitherdefaultdomainoradomainspecifiedbytheuser). ThedomainnamemustresolvetoavalidhostIP.Forexample,vmware.cominyournetworkresolvesto ldap.vmware.comsIPaddress. ReverselookupsfortheKDCmustresolve. ReverselookupsforthedomainnameIPmustresolve. ThehostnameoftheACEManagementServerhostmustresolveinyourDNS. AreverselookupentryforyourACEManagementServerhostIPmustresolveinyourDNS. IfanyoftheseDNSqueriesfail,yougetafailurefromtheKerberoslibrary.Someofthesefailuresareeasyto identify(forexample,cannotfindKDChost)andsomearemoredifficulttoidentify(forexample,local errors). Copyright 2007 VMware, Inc. All rights reserved. 3 Integrating Linux Hosted ACE Management Server with Active Directory
VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com Copyright 2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, and 7,222,221; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Linux is a registered trademark of Linus Torvalds. All other marks and names mentioned herein may be trademarks of their respective companies. Revision 20070807 Thisfilecontainsthreeconfigurationsettings: [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true clockskew = 3600 ThefirsttwosettingsinstructtheKerberoslibrarytouseDNStoresolvetheKDChostnameandtheREALM. IfyouarehavingtroubleintegratingACEManagementServerwithActiveDirectory,thisfileenablesyouto bypassalltheDNSlookups,andinsteadprovidespecificinformationaboutyournetworksothatKerberos willoperate.IfyouturnoffDNSlookupsforrealmandKDC,youmustspecifytheKDCforyourrealm (domain).Followingisanexampleofakrb5.conffilethatturnsoffDNSlookupsanddefinesthevmware.com realm: [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false clockskew = 3600 [realms] VMWARE.COM = { kdc = ldap.vmware.com } ThisfiletellsKerberosnottoperformDNSlookupsforrealmsandKDCs.ThefilealsodefinestheKDCserver forthevmware.comrealmasldap.vmware.com.BecauseweomittedtheportnumberfortheKDC,thedefault portnumberf88isused. Formoreinformationonkrb5.conf,readthedocumentationthatcomeswithyourLinuxdistribution. Ifyoustillhaveproblemsaftermodifyingyourkrb5.conffile,modifythe/etc/hostsfileonyourACE ManagementServerhostsothatallhostsinvolvedintheActiveDirectoryconfigurationareincluded.For example,your/etc/hostsfileforthevmware.comACEManagementServermighthavethefollowingentries: 10.20.30.40ldap.vmware.comldap 10.20.30.40vmware.com 10.20.30.41ams.vmware.comams Inthisexample,10.20.30.40istheIPforthedomaincontroller(andLDAPserver)and10.20.30.41istheIP addressfortheACEManagementServerhost.