PC SOFT

ONLINE HELP
 WINDEVWEBDEV AND WINDEV MOBILE

Home | Sign in | English EN

This content has been translated automatically. Click here to view the French version.
  • Overview
  • Prerequisite
  • Implementation for a Windows HFSQL server
  • Automatic setup
  • Manual setup
  • Implementation for a Linux HFSQL server
  • Use
  • Connection
  • Management of rights on the server
WINDEV
WindowsLinuxUniversal Windows 10 AppJavaReports and QueriesUser code (UMC)
WEBDEV
WindowsLinuxPHPWEBDEV - Browser code
WINDEV Mobile
AndroidAndroid Widget iPhone/iPadApple WatchUniversal Windows 10 AppWindows Mobile
Others
Stored procedures
Authentication via Active Directory
HFSQL Client/ServerAvailable only with this kind of connection
Overview
Kerberos is an authentication mode based on the use of tickets and secret keys. This mode is used by Windows and the Active Directory.
From version 23, you have the ability to configure the HFSQL server so that it authenticates the users according to the Kerberos standard. The Kerberos account (Active Directory, etc.) is used.
Prerequisite
Before implementing an authentication via Active Directory, a user account of domain must be created.
This account must have at least the following rights:
  • access rights (get and Write) to the database directory and the HFConf.INI file.
  • access rights (at least Read and Write for automatic data update) on the server binaries (manta64.exe, *.exe...)
Remark: To make efficient hot backups, you must have the corresponding local right on the volume ("Perform volume maintenance tasks").
Implementation for a Windows HFSQL server

Automatic setup

When installing or updating a HFSQL server in version 23 (or later), the setup wizard automatically performs the necessary steps.
Once the HFSQL server is installed, the server setting must be finalized. To do so, start the following command line by using an account with rights on the domain:
setspn -U -S HFSQL/<srv1.mondomaine.com> <nom du compte>
where:
  • <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
  • <account name> is the name of user account of domain created in the prerequisite.

Manual setup

For information, the following steps are used to implement the authentication via Active Directory for a HFSQL server for Windows (version 23 or later):
  1. Install a HFSQL server (version 23 or later) on a computer.
  2. Modify the account running the HFSQL server service to use the user account of the domain created in the prerequisite.
    Caution: This account must have the rights to access the database directory and the HFConf.INI file.
  3. Create the ServicePrincipalName by running the following command line with an account with rights on the domain:
    setspn -U -S HFSQL/<srv1.mondomaine.com> <nom du compte>
    where:
    • <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
    • <account name> is the name of user account of domain created in the prerequisite.
  4. Enable the support for Active Directory in the server:
Implementation for a Linux HFSQL server
The following steps are used to implement the authentication via Active Directory for a HFSQL server for Linux (version 23 or later):
  1. Attach the server to the domain if not already done. The following command can be used on a recent Linux:
    >sudo realm join mondomaine.com -U 'admin@MONDOMAIN.COM' -v
    where:
    • mydomain.com is the domain name.
    • admin@MYDOMAIN.COM is an account with the necessary rights to add a computer into the domain.
  2. Check whether the server gets information from the Active Directory controller by typing the command:
    >id <nom du compte>@mondomain.com
    where <account name> is the name of the user account of the domain created in the prerequisite.
    The following information is displayed:
    uid= 10003(<nom du compte>@mondomain.com)
    gid= 10000(utilisa.dudomaine@mondomain.com)
    groups= 10000(utilisa.dudomaine@mondomain.com), 10000(compta@mondomain.com)
  3. Create the ServicePrincipalName by running the following command line on a Windows computer with an account with rights on the domain:
    setsnp -U -S HFSQL/<srv1.mondomaine.com> <nom du compte>
    where:
    • <srv1.mydomain.com> is the full name (FQDN) of computer hosting the HFSQL server.
    • <account name> is the name of the domain account created in the prerequisite.
  4. Configure the "keytab":
    >kinit <nom du compte>@MONDOMAIN.COM
    >kvno HFSQL/srv1.mondomain.com
    HFSQL/srv1.mondomain.com@MONDOMAIN.COM:kvno = 2
    >ktutil
    ktutil: addent -password -p HFSQL/srv1.mondomain.com@MONDOMAIN.COM -k
    <kvno> -e aes256-cts-hmac-sha1-96
    ktutil: addent -password -p HFSQL/srv1.mondomain.com@MONDOMAIN.COM -k
    <kvno> -e rc4-hmac
    ktutil: wkt /opt/<nom du compte>/<nom du compte>.keytab
    quit

    where:
    • <kvno> is the number returned by the kvno command,
    • srv1.mydomain.com is the full name of server computer,
    • MYDOMAIN.COM is the domain name (always in uppercase characters).
    • <account name> is the name of the domain account created in the prerequisite.
    In the code, adapt the path of 'wkt' command to store the "keytab" at an appropriate location. Check whether the HFSQL server has sufficient rights to access this file.
  5. The "libgssapi_krb5.so" library is required. Depending on the distribution, you may have to create a symbolic link from "libgssapi_krb5.so.x" to "libgssapi_krb5.so".
  6. Configure the HFSQL server by adding the following lines into the HFConf.ini file of server:
    [ActiveDirectory]
    Enable=1
    KerberosKeyFile=/opt/<nom du compte>/<nom du compte>.keytab

    where <account name> is the name of the domain account created in the prerequisite.
Use

Connection

The following syntax allows you to use a connection with an authentication via Active Directory:
cnx_sso is Connection
cnx_sso.Provider = hAccessHFClientServer
cnx_sso.Server = "srv1.mondomaine.com"
cnx_sso.ActiveDirectory = True
This connection allows you to connect to the server by using the identity of current user. The user does not have to type his login information again (Single Sign-On).
Note: In Windows and in Linux equipped with a compatible Kerberos layer, the following syntax allows you to force the use of another domain account:
cnx is Connection
cnx.Provider = hAccessHFClientServer
cnx.Server = "srv1.mondomaine.com"
cnx.ActiveDirectory = True
cnx.User = "<Nom du compte>@mondomaine.com"
cnx.MotDePasse = "xxxxxx"

Management of rights on the server

On the HFSQL server, you have the ability to create users and groups corresponding to domain accounts and domain groups respectively.
When a user connects with a domain account:
  • The list of groups to which the user belongs is automatically updated from information about domain groups.
  • If the user does not exist but if he belongs to a domain group with a corresponding HFSQL group, the user account is automatically created (without rights, it inherits from the group rights).
Minimum version required
  • Version 23
This page is also available for…
Comments
Click [Add] to post a comment