Active Directory Integration

Active Directory Integration

Description

TACTIC provides the ability to easily connect to any active directory installation for both authentication and for synchronization of user data. With a set of directives in the TACTIC configuration file, it is possible to connect to Active Directory for authentication and user information.

This synchronization takes place at login time. At this point, TACTIC takes the desired information for a particular user and caches it into the "sthpw/login" search type. Subsequent requests would normally use an issued ticket given at login time. On these requests, no further querying of active directory is needed until the ticket expires or the user signs out the application.

Prerequisites

The active directory modules make use of win32 libraries for python. These must be installed in order for the connection to active directory to function properly

Configuration

There are a number of directives in the TACTIC config file that can be used to configure the active directory settings. These allow you to adjust TACTIC behavior to suit the needs of the facility.

In order to turn on active directory authentication, you must change the authenticate class to the following:

authenticate_class: tactic.active_directory.ADAuthenticate

The following directives can be set under the active directory category:

domains: This is a "|" delimited list of the domains that exist in the network. If specified, a selection box for domains will be added to the login page.

handle_groups: If set to true, TACTIC uses the information of AD to drive the grouping on each login attempt.

default_groups: defines the default groups that a user will belong to if none is specified. Multiple groups are delimited by "|".

default_license_type: determines the default license type for a user if none is specified in the Active Directory attribute "tacticLicenceType".

Example of Typical Entry

Below is an example of a typical entry in the TACTIC config file:

<active_directory>

<domains>xxx|yyy|zzz</domains>

<allow>tacticEnabled</allow>

<handle_groups>true</handle_groups>

<default_groups>client</default_groups>

<default_license_type>user</default_license_type>

</active_directory>

Example Configurations

Allow anyone to login:

<active_directory>

<allow>all<allow>

</active_directory>

Allow anyone to login and will be put in the "client" group if user has no groups specified.

<active_directory>

<allow>all</allow>

</active_directory>

Only allow thos with the attibute tacticEnabled in Active Directory set to "true"

<active_directory>

<allow>tacticEnabled</allow>

</active_directory>

Enable users to select a domain (xxx, yyy or zzz) in the login screen

<active_directory>

<allow>all</allow>

<domains>xxx|yyy|zzz</domains>

</active_directory>

Case Insensitive Login

For Active Directory in Windows, it is recommended to turn on case_insensitive_login. You can set this in the <security> section:

<case_insensitive_login>true</case_insensitive_login>

Mapping

Active Directory attributes use camel case notation (aaaBbbCcc), while TACTIC users lowercase with underscore separators for columns( aaa_bbb_ccc). In order to maintain consistency within the TACTIC application, a mapping of columns from active directory to TACTIC is provided. The following mappings are made by default:

 

mail

email

telephoneNumber

phone_number

department department

displayName

first_name, last_name (broken up)

tacticLicenceType

license_type

 

The Active Directory variable "tacticLicenseType" is a custom variable that indicates which type of license a particular user can occupy in TACTIC. If this attribute is missing from a users active directory profile, the "user" license_type is assumed. This attribute can be used to determine if a particular user in active directory is allowed to login to TACTIC.

The only supported license for this attribute are "user" and "default". Other license types have not yet been implemented yet.

Groups

On log in, TACTIC will look at all of the groups that a user belongs to in Active Directory and match those group names to the "ad_login_group" column in the "sthpw/login_group" search type. This grouping list will synchronized at this time, removing the users from groups not specified in Active Directory and add those that are specified. This means that Active Directory is in full control of the groups that a user is part of and therefore must be managed entirely in Active Directory.

For the name of the group, there is a utility file which can be run to get the group info of a user.  It can be found in src/tactic/active_directory

 

python ad_get_user_info.py -d <domain> -u <user_login_name>

 

it will return a list of attributes related to that user and you will see lines like 

sAMAaccountName: ...

displayName: ...

title: ...

sn: ...

mail: ...

memberOf: .....

TACTIC only looks at the root of the path to map the group name. For example, an active directory group with the following distinguished name:

memberOf: CN=supervisor,OU=Users,OU=EIS,DC=domain,DC=us,DC=xxxx,DC=com

 if you just want to adopt the same group name, you should create a group with "supervisor" entered into the group column. If you want the group to appear as a different name in TACTIC, you will need to have "supervisor" to be entered in the "ad_login_group" column and then you can set the "group" column to any name you like. 

 

 

Exceeding License

If on logging in, the number of users exceeds the number of users in the license, then that user will be denied access and an entry in the "sthpw/login" search type will not be made. However, all other users currently registered can continue to work normally.