SSO Configuration of Jedox Server on Linux (on-premises only)
Below is a sample SSO configuration of a Jedox Server on Linux. You can use this configuration as a guide when setting up your own system.
The following definitions are used in the example:
- Domain is jedoxsso
- Group name is ssogroup
- Jedox group name (to be created during setup) is jedoxsso\ssogroup (see note below)
For reference, see SSO Authorization Mode or SSO Authentication Mode - NetBIOSname of the Jedox Server is JedoxServer
- Example address for the Active Directory (AD) is:
- IP: 192.168.2.30
- FQDN: ADServer.jedoxsso.local
- Shortname: ADServer
Note: the default domain separator in Windows is backslash (\), which is an escape character in UNIX/Linux systems. In some environments, this behavior may result in failure to obtain a user's groups upon login. To avoid problems, you can change the default domain separator to a more benign character, such as +. To do so, add the following line to /etc/samba/smb.conf:
winbind separator =+
Then create the Jedox groups using the new separator, e.g. DOMAIN+GroupName instead of DOMAIN\GroupName.
Configuration steps
Note: Jedox is installed inside of a cage or chroot environment. All files mentioned here are inside of the Jedox environment.
From outside of the cage, switch to the cage with:
cd /opt/jedox/ps
Then start Jedox with:
sudo ./jedox-suite.sh start
Inside the cage switch to chroot:
sudo chroot .
In /etc/samba/smb.conf adjust the following settings to match your environment:
- netbios name
- workgroup
- realm
- idmap config
[global]
netbios name = JedoxServer
workgroup = JEDOXSSO
security = ADS
realm = JEDOXSSO.LOCAL
encrypt passwords = yes
idmap config *:backend=tdb
idmap config *:range=2000-9999
idmap config JEDOXSSO:backend=rid
idmap config JEDOXSSO:schema_mode=rfc2307
idmap config JEDOXSSO:range=10000-99999
winbind nss info = rfc2307
winbind use default domain=yes
winbind enum users=yes
winbind enum groups=yes
winbind refresh tickets=Yes
vfs objects=acl_xattr
map acl inherit=Yes
store dos attributes=Yes
idmap_ldb:use rfc2307=Yes
In /etc/krb5.conf adjust default_realm to match your domain address.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = JEDOXSSO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
In /etc/resolv.conf adjust search and nameserver to match your environment.
search JEDOXSSO.LOCAL
nameserver 192.168.2.30
In /etc/rc.d/init.d/winbind comment out the following lines using a hashtag (#):
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#[ ${NETWORKING} = "no" ] && exit 1
In /etc/hosts add IP, FQDN, and the NetBIOSname of your AD server.
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.30 ADServer.jedoxsso.local ADServer
Set /etc/hostname as JedoxServer
Activate SSO in the In-Memory DB (OLAP) server
In /Data/palo.ini, add one of the following parameters, depending on the desired mode.
To enable SSO authorization mode:
windows-sso
To enable SSO authentication mode:
windows-sso-authentication
To activate the automatic login, change the following setting in /httpd/app/etc/config.php to true, e.g.:
define('CFG_AUTH_SSO', true);
Note: In Jedox Web, SSO only works against a single external Jedox OLAP connection that matches the one in config.php. You cannot use multiple Jedox OLAP instances on the same server.
If they are missing, create the following lines:
mkdir /var/log/samba/cores
chmod -R 700 /var/log/samba/cores
chown -R root:systemd-network /var/log/samba/cores
If they exist, delete and recreate the following lines:
rm -R /var/lib/samba/winbindd_privileged
mkdir /var/lib/samba/winbindd_privileged
chown -R root:systemd-network /var/lib/samba/winbindd_privileged
Join:net ads join -U <username with enough rights to join domain>
or:net join -S ADServer.jedoxsso.local -U <username with enough rights to join domain>
Then it should look like the following example:
bash-4.2# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- JEDOXSSO
Joined 'JEDOXSERVER' to dns domain 'jedoxsso.local'
If you get an error, refer to Samba Troubleshooting.
Check for a broken winbind process. If there is any, kill it as in the example below:
bash-4.2# ps uax | grep winbindd
root 26156 0.0 0.0 376560 6776 ? Ss 07:35 0:00 winbindd
root 26158 0.0 0.1 380976 7640 ? S 07:35 0:00 winbindd
root 26715 0.0 0.0 379060 4644 ? S 09:01 0:00 winbindd
kill -9 26156
kill -9 26158
kill -9 26715
After joining the domain, make sure jedoxweb group has access to secrets.tdb:
chown root:jedoxweb /var/lib/samba/private/secrets.tdb
chmod 0770 /var/lib/samba/private/secrets.tdb
Start winbind:
/etc/init.d/winbind start
Leave chroot with the command:
exit .
You are still in /opt/jedox/ps. Restart Jedox with:
./jedox-suite.sh restart
Next SSO configuration step: creating groups in Jedox according to SSO Authorization Mode or SSO Authentication Mode.
Updated July 6, 2023