11.6. Managing Authentication Databases¶
The Virtuozzo Automator security authentication mechanism allows you to grant access to physical servers and their virtual environments to both:
users on your local computer and
users stored in external Microsoft Active Directory databases.
Note
Other LDAP-compliant databases, like OpenLDAP for Linux, are supported with some restrictions, see below.
During its installation on the physical server, the Virtuozzo Automator software creates two special databases containing the information on local user accounts:
The System database: this database is fully identical to the system database created by any operating system and containing the information on the users and groups registered in the Host OS and defining the rights these users and groups have in respect of the system administration.
The Virtuozzo internal database: this database contains VA-specific users and groups.
Along with the user databases created by the Virtuozzo Automator software by default, you can also register external user databases located virtually on any computer on your network and allow the users from these databases to access physical servers and their virtual environments. So, you do not need to manually create these users and add them to the Virtuozzo internal database. The only requirement that should be met by a database to be registered in Virtuozzo Automator is that it must be based on the Microsoft Active Directory technology. For example, if the user’s login information is stored on an external domain controller running an Active Directory (AD) server, you can register this controller in Virtuozzo Automator and allow the users registered in the AD directory to be authenticated through the controller itself rather than go through the authentication process on the physical server. The user authorization, however, will take place on the physical server and the user will get the rights and privileges in accordance with the role(s) assigned to them on this physical server.
If you wish to use an OpenLDAP directory in Linux environments in a similar way, you should make sure that this directory complies with the Microsoft Active Directory schema. In particular, it must have the following attribute types:
objectSid
, groupType
, userPrincipalName
, userParameters
, preferredOU
and the following object classes:
container
, securityPrincipal
, User
, Group
, foreignSecurityPrincipal
, domainDNS
.
For additional details on these attribute types and object classes, please, consult the official Microsoft Active Directory schema, if needed.
Virtuozzo Automator allows you to manage authentication databases as follows:
view detailed information on the authentication database currently registered on the physical server;
remove a registered authentication database from the physical server;
register a new authentication database on the physical server.
11.6.1. Viewing Authentication Databases¶
The Authentication Databases tab (displayed on following the Security link on the Virtuozzo Automator main menu) allows you to view a list of user databases currently registered on the physical server and used to authenticate the users trying to log in to the physical server (or Server Group, or virtual environments) through Virtuozzo Automator.
The general information on Virtuozzo Automator authentication databases is given in Managing Authentication Databases.
The information on databases is presented in the table having the following columns:
Column |
Description |
---|---|
Name |
The name assigned to the authentication database. |
Address |
The hostname or IP address of the server where the LDAP-compliant user database is residing. |
Port |
The port number to be used to connect to the database on the server. The default port for databases hosted by Windows Active Directory and Linux LDAP is 389. |
By default, 20 databases are displayed on a page. To change the number of databases shown per page, click the appropriate link below the table. You can also filter the databases shown in the Authentication Databases table. To do that, click Show Search, enter search patterns in the search fields, and click Search. To change what search fields are displayed, click Customize. To have the full list of users back, click Reset Results. To have the full list of databases back, click Reset Results.
On the Authentication Databases tab you can:
Remove an existing database by selecting the check box near the corresponding realm and clicking the Delete button.
Register a new database by following the Register Database link at the top of the Authentication Databases table.
11.6.2. Registering New Database¶
Along with the databases registered by VA by default, you can register your own user databases, thus, allowing users’ authentication through external servers. The requirements for these databases can be found in the Managing Authentication Databases section. You can register a new authentication database on the Register Authentication Database screen which can be displayed by following the Security link on the Virtuozzo Automator menu, clicking the Authentication Database tab, and following the Register Database link at the top of the Authentication Databases table. On this screen you should provide the following parameters for the database:
Database Name (mandatory): specify an arbitrary name to be assigned to the database; you can choose any descriptive name you like. This name will be displayed in the Authentication Databases table and identify the given database among other databases registered in Virtuozzo Automator.
Server Address (mandatory): enter the hostname or IP address of the server storing the user database.
Port (mandatory): indicate the port number to be used to connect to the user database on the server. The default port for databases hosted by Windows Active Directory and Linux LDAP is 389.
Login: type the name of the user with the administrative credentials for the server indicated above.
Password: enter the password of the user specified in the Login field.
Domain: enter the name of the domain, if any, where the server hosting the user database resides.
Note
If the Virtuozzo Automator Master Server is running Linux, and you are registering a Windows Active Directory database, you must fill in this field. If you are registering an OpenLDAP database, you must leave this field empty. Doing otherwise will make it impossible to import the users information into Virtuozzo Automator.
Base DN (mandatory): specify a distinguished name uniquely identifying the entry of the user specified in the Login field in the authentication database.
Default DN: indicate the default distinguished name used for the user’s entry in the authentication database.
After providing the necessary information, click the Submit button to start registering the database. After a while, the registered database will be displayed in the table on the Authentication Databases tab of the Security screen.
Note
To be able to use Virtuozzo Automator, users should have the privilege to log in to Virtuozzo Automator, which can be defined in the global (Server Group) scope only. The easiest way to do this is to include the corresponding users from the external database in the precreated Virtuozzo Automator Users group.
11.6.3. Viewing Database Details¶
On this screen, you may review the detailed information on any authentication database currently registered on the physical server. To display this page, follow the Security link on the Virtuozzo Automator menu, click the Authentication Databases tab on the Security screen, and then click the name of the database whose details you wish to view.
Field |
Description |
---|---|
Server Address |
The hostname or IP address of the server storing the database. |
Port |
The port number to be used to connect to the database on the server. The default port for databases hosted by Windows Active Directory and Linux LDAP is 389. |
Login |
The name of the user with the administrative credentials for the server indicated above. |
Domain |
The name of the domain, if any, where the server hosting the database resides. |
Base DN |
The distinguished name uniquely identifying the database entry of the user specified in the Login field (the name of the root directory). |
Default DN |
The default distinguished name used for the user’s entry in the database (the complete navigation path to the users’ storage directory). |
If you want to change the details of the database, click the Configure icon on the Virtuozzo Automator toolbar (not available for the Virtuozzo internal authentication database).
11.6.4. Configuring Database Details¶
You can edit the properties of an existing database on the Configure screen which can be accessed by following the Security link on the Virtuozzo Automator menu, clicking the Authentication Databases tab on the Security screen, clicking the name of the database whose parameters you wish to configure in the Authentication Databases table, and, in the displayed window, clicking the Configure button on the upper toolbar.
Note
You cannot modify the details of the Virtuozzo internal and the System databases. These databases are automatically created on the physical server.
The Configure screen allows you to edit the following database details:
In the General Settings section, you can change the name of the database by typing the desired name in the Database Name field.
In the Connection Settings section, you can change the address of the server storing the database by typing another domain name or IP address in the Server Address field. In this section, you can also specify another port number to be used to connect to the database in the server.
In the Login Settings section, you can rename the user with the administrative credentials for the server storing the database, enter a password for it and enter the name of the domain, if any, where the server resides.
In the Directory Settings section, you can change the distinguished name uniquely identifying the database entry of the user with the administrative credentials and the default distinguished name used for the users’ entries.
After you have configured the database parameters in the proper way, click Submit for the changes to take effect. Otherwise, click Cancel.