Example 1. In this example the external server is OpenLDAP on Windows Server 2003 as shown in the “LDAP/LDAPS - OpenLDAP Setting Example” on page 118.
1. Under the KVM ACCESS User Manager tab, select Authentication Services > Authentication Servers.
2. Select the OpenLDAP server, then click Group Authorization. 3. Click the Group has Member attribute radio button.
4. Click Add (at the top-right of the panel). 5. In this example add the groups1 group.
The OpenLDAP administrator uses this name (groups1 in the example) to create a group under OpenLDAP with the same name as the one just created on the KVM ACCESS server, as follows:
1. Open the core.schema file. The default settings we are interested in are as follows: attributetype ( 2.5.4.31 NAME 'member'
DESC 'RFC2256: member of a group' SUP distinguishedName )
objectclass ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL
MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
2. Edit the kvmaccessldap.ldif file to add a definition for groups1 and have KVM ACCESS user accounts fall under groups1, as follows:
dn: cn=groups1,ou=groups,dc=apc,dc=com objectclass: groupofnames
member: cn=kvmaccess,ou=software,dc=apc,dc=com cn: groups1
Note:1. The entry after dn: cn= should be the name of an actual group created under Group Authorization (see Group Authorization, page 72) on the KVM ACCESS server.
2. The entry after objectclass: should be consistent with the name that was entered for the Object class when the group was created on the KVM ACCESS server. Change the default entry in this file to match.
3. The entry after member: cn= should be an actual user login name. 3. You can check the group definition with LDAP Browser.
4. The above example has added a member, kvmaccess, to the groups1 group. To add additional members to the group, edit the file to include them. For example:
member: cn=kvmaccess-1,ou=software,dc=apc,dc=com member: cn=kvmaccess-2,ou=software,dc=apc,dc=com
Once these procedures are completed, KVM ACCESS users who are authenticated through the LDAP/ LDAPS server, are authorized according to the permissions assigned to the group.
123 KVM Access Management Software User Manual
Example 2. By default OpenLDAP only supports the Group has Member attribute setting for the group related schema. This was the setting used in Example 1. An alternative setting used by other LDAP servers, User has Member Of attribute, is also supported under OpenLDAP by extending the schema. In this example the external server is OpenLDAP on Windows Server 2003 as shown in the “LDAP/ LDAPS - OpenLDAP Setting Example” on page 118.
1. Under the KVM ACCESS User Manager tab, select Authentication Services > Authentication Servers.
2. Select the OpenLDAP server; then click Group Authorization. 3. Click the User has Member Of attribute radio button.
4. Click Add (at the top-right of the panel). 5. In this example add the groups1 group.
The OpenLDAP administrator uses this name (groups1 in the example) to create a group under OpenLDAP with the same name as the one just created on the KVM ACCESS server, as follows:
1. Open the core.schema file. Extend the schema as follows: attributetype ( 1.2.840.113556.1.2.102
NAME 'memberof'
DESC 'RFC2256: member of a group' SUP distinguishedName ) objectclass ( 1.2.840.113556.1.5.9 NAME 'person' SUP organizationalPerson STRUCTURAL MUST ( cn )
MAY ( userPassword $ description $ sn $ mail $ memberof ) )
2. Edit the kvmaccessldap.ldif file to add a user account to the groups1 group as follows: dn: cn=kvmaccesstest,ou=software,dc=apc,dc=com objectclass: top objectclass: person objectclass: organizationalPerson cn: kvmaccesstest sn: kvmaccesstest memberof: cn=groups1,ou=groups,dc=apc,dc=com userPassword: apc
Note: 1. The entry after dn: cn= should be an actual user login name.
2. The entry after objectclass: should be consistent with the name that was entered for NAME in the extended schema.
3. The entry after memberof: cn= should be the name of an actual group created under Group Authorization (see Group Authorization, page 72) on the KVM ACCESS server.
KVM Access Management Software User Manual 124
3. Check the group definition with LDAP Browser.
4. Repeat step 2 for each user account that you want to add to the group.
Once these procedures are completed, KVM ACCESS users who are authenticated through the LDAP/ LDAPS server, are authorized according to the permissions assigned to the group.
Active Directory Group Authorization Setting Example
In this example the external server is Active Directory on Windows Server 2003 as shown in the “Active Directory Settings Example” on page 119.
1. Under the KVM ACCESS User Manager tab, select Authentication Services > Authentication Servers.
2. Select the Active Directory server, then click Group Authorization. 3. In this example add the KVMACCESSGP group.
The Active Directory administrator uses this name (KVMACCESSGP in our example) to create a group under Active Directory with the same name as the one just created on the KVM ACCESS server, as follows:
1. Open Start > Control Panel > Administrative Tools > Active Directory Users and Computers > Domain (CA-QA.com in our example).
2. In the left panel, right click Domain Controllers. Select New. Select Group.
3. In the dialog box that opens, enter the name of the group (KVMACCESSGP in our example). 4. In the right panel, right click KVMACCESSGP. Select Properties. Select Members.
5. Click Add.
The dialog box that opens lets you add members to the group. The members are selected from the accounts found in the Users folder (see the left panel of the original screen).
9/2011 990-5211