SSO Configuration of Jedox Server on Linux (on-premises only)

Below is a sample SSO configuration of a Jedox Server on Linux. You can use this configuration as a guide when setting up your own system.

The following definitions are used in the example:

  • Domain is jedoxsso
  • Group name is ssogroup
  • Jedox group name (to be created during setup) is jedoxsso\ssogroup (see note below)
    For reference, see SSO Authorization Mode or SSO Authentication Mode
  • NetBIOSname of the Jedox Server is JedoxServer
  • Example address for the Active Directory (AD) is:
    • IP: 192.168.2.30
    • FQDN: ADServer.jedoxsso.local
    • Shortname: ADServer

Note: the default domain separator in Windows is backslash (\), which is an escape character in UNIX/Linux systems. In some environments, this behavior may result in failure to obtain a user's groups upon login. To avoid problems, you can change the default domain separator to a more benign character, such as +. To do so, add the following line to /etc/samba/smb.conf:

Copy
winbind separator =+

Then create the Jedox groups using the new separator, e.g. DOMAIN+GroupName instead of DOMAIN\GroupName.

Configuration steps

Note: Jedox is installed inside of a cage or chroot environment. All files mentioned here are inside of the Jedox environment.

From outside of the cage, switch to the cage with:

Copy
cd /opt/jedox/ps

Then start Jedox with:

Copy
sudo ./jedox-suite.sh start

Inside the cage switch to chroot:

Copy
sudo chroot .

In /etc/samba/smb.conf adjust the following settings to match your environment:

  • netbios name
  • workgroup
  • realm
  • idmap config
Copy
[global]
netbios name = JedoxServer
workgroup = JEDOXSSO
security = ADS
realm = JEDOXSSO.LOCAL
encrypt passwords = yes
idmap config *:backend=tdb
idmap config *:range=2000-9999
idmap config JEDOXSSO:backend=rid
idmap config JEDOXSSO:schema_mode=rfc2307
idmap config JEDOXSSO:range=10000-99999
winbind nss info = rfc2307
winbind use default domain=yes
winbind enum users=yes
winbind enum groups=yes
winbind refresh tickets=Yes
vfs objects=acl_xattr
map acl inherit=Yes
store dos attributes=Yes
idmap_ldb:use rfc2307=Yes

In /etc/krb5.conf adjust default_realm to match your domain address.

Copy
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = JEDOXSSO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

In /etc/resolv.conf adjust search and nameserver to match your environment.

Copy
search JEDOXSSO.LOCAL
nameserver 192.168.2.30

In /etc/rc.d/init.d/winbind comment out the following lines using a hashtag (#):

Copy
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#[ ${NETWORKING} = "no" ] && exit 1

In /etc/hosts add IP, FQDN, and the NetBIOSname of your AD server.

Copy
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.2.30 ADServer.jedoxsso.local ADServer

Set /etc/hostname as JedoxServer

Activate SSO in the In-Memory DB (OLAP) server

In /Data/palo.ini, add one of the following parameters, depending on the desired mode.

To enable SSO authorization mode:

Copy
windows-sso 

To enable SSO authentication mode:

Copy
windows-sso-authentication 

To activate the automatic login, change the following setting in /httpd/app/etc/config.php to true, e.g.:

Copy
define('CFG_AUTH_SSO', true);

Note: In Jedox Web, SSO only works against a single external Jedox OLAP connection that matches the one in config.php. You cannot use multiple Jedox OLAP instances on the same server.

If they are missing, create the following lines:

Copy
mkdir /var/log/samba/cores
chmod -R 700 /var/log/samba/cores
chown -R root:systemd-network /var/log/samba/cores

If they exist, delete and recreate the following lines:

Copy
rm -R /var/lib/samba/winbindd_privileged
mkdir /var/lib/samba/winbindd_privileged
chown -R root:systemd-network /var/lib/samba/winbindd_privileged

Join:
net ads join -U <username with enough rights to join domain>
or:
net join -S ADServer.jedoxsso.local -U <username with enough rights to join domain>

Then it should look like the following example:

Copy
bash-4.2# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- JEDOXSSO
Joined 'JEDOXSERVER' to dns domain 'jedoxsso.local'

If you get an error, refer to Samba Troubleshooting.

Check for a broken winbind process. If there is any, kill it as in the example below:

Copy
bash-4.2# ps uax | grep winbindd
root 26156 0.0 0.0 376560 6776 ? Ss 07:35 0:00 winbindd
root 26158 0.0 0.1 380976 7640 ? S 07:35 0:00 winbindd
root 26715 0.0 0.0 379060 4644 ? S 09:01 0:00 winbindd
kill -9 26156
kill -9 26158
kill -9 26715

After joining the domain, make sure jedoxweb group has access to secrets.tdb:

Copy
chown root:jedoxweb /var/lib/samba/private/secrets.tdb
chmod 0770 /var/lib/samba/private/secrets.tdb

Start winbind:

Copy
/etc/init.d/winbind start

Leave chroot with the command:

Copy
exit .

You are still in /opt/jedox/ps. Restart Jedox with:

Copy
./jedox-suite.sh restart

Next SSO configuration step: creating groups in Jedox according to SSO Authorization Mode or SSO Authentication Mode.

Updated July 6, 2023