Open topic with navigation

Connecting to Active Directory

FME Server's security framework can be configured to use Active Directory for user authentication and user grouping. In this manner, a server administrator can utilize an existing user account database and associated security permissions.

In Active Directory, user accounts are given security permissions by placing them in one or more security groups. The integration works by effectively mapping Active Directory security groups to FME Server roles. In the Web User Interface, a role is then given a set of resources it can access and permissions on those resources. Therefore, if a security group has access to a particular resource, so do its member users.

Note:  FME Server includes the fmesuperuser role, which allows full access to all server resources. It is not possible to map an Active Directory security group to this role in the same manner as other roles. For more information, see Enabling fmesuperuser Privileges in Active Directory.

Getting Started

To configure FME Server to use Active Directory, three steps are required:

1. Identify security groups to allow access.
2. Add each security group as a user role.
3. Enable Active Directory integration in the FME Server configuration file.

These steps are described in detail in the following sections.

This document assumes that you have not modified FME Server security components and that you are using the default security settings that ship with FME Server (that is, the built-in database security module).

Identify Security Groups

Identify the security groups to which you want to allow access to FME Server, and compile a list of their distinguished names (DNs).

You can acquire DNs from the domain administrator or through an Active Directory browser, such as ADExplorer (http://technet.microsoft.com/en-us/sysinternals/bb963907). The DN of a security group takes on the general form:

CN=groupname,OU=organizationunit,...,DC=mydomain,DC=com

Add Security Groups as Roles

Through the FME Server web user interface, add each security group's DN as a user role. For each user role, specify the FME Server resources that the role can access.

1. Using a web browser, access the FME Server Web Interface—for example, http://localhost/fmeserver.
2. If you are not already authenticated, enter your credentials, and click Login.
3. Click Security on the left-hand side to access the security page.
4. Click the Roles tab.
5. Click New, and then specify the security group's DN.

6. Click OK to add the new user role.

   The user membership is maintained in Active Directory.

7. Click Permissions, and select the newly added role.
8. Specify the FME Server resources that you want to make accessible to this security group, and then click Apply.
9. Repeat steps 4 through 8 for each security group you want to add.

Enable Active Directory

Edit the FME Server configuration file to use Active Directory. Then restart the server.

1. Open the FME Server configuration file, fmeServerConfig.txt, located in the subdirectory Server of your FME Server install directory.

2. Under the Security heading, comment out (#) the following line:

   SECURITY_LOGIN_TYPE=database

3. Uncomment (#) the following lines:

   SECURITY_LOGIN_TYPE=activedirectory

   SECURITY_AD_SERVER_AUTODETECT=true

   FME Server will attempt to automatically detect Active Directory. If this fails, provide the host and port for your Active Directory using the following lines:

   SECURITY_AD_SERVER_AUTODETECT=false

   SECURITY_AD_SERVER_COUNT=1

   SECURITY_AD_SERVER_HOST1=<host>

   SECURITY_AD_SERVER_PORT1=<port> (typically 636)

4. If you would rather not have to enter your domain name each time you log in (<domain>\<user>), uncomment the following line and provide your domain:

   SECURITY_AD_NT_DOMAIN=<yourDomain>

5. If you are connecting to Active Directory over a Secure Sockets Layer (SSL), add the following line:

   SECURITY_AD_USE_SSL=true

6. Save the configuration file.

7. Restart FME Server.

   For more information, see Starting and Stopping FME Server.

8. Log in using your Active Directory credentials.

Security Management Using Active Directory

When using Active Directory for user authentication and authorization, the Security Management interface has some modifications.

• The User Accounts view displays a live list of Active Directory users who can access components of FME Server.
• The User Roles view continues to display all available user roles, including those that are not Active Directory security groups.

User Accounts View

The User Accounts view is a live list of Active Directory users that can access components of FME Server. A server administrator cannot modify this list, since it is fetched from Active Directory. The list includes all users implicated by the enabled Active Directory security groups specified in user roles.

Note:  FME Server populates this view by using Lightweight Directory Access Protocol's (LDAP) virtual list view (VLV) control. Your Active Directory server must have this feature enabled in order to display a live User Accounts view.

User Roles View

The User Roles view is a live list of Active Directory security groups who can access components of FME Server. A server administrator can modify this list, which is stored in the local security database, to add Active Directory security groups or remove existing groups.

Note:  User roles can accept Active Directory security groups only. It is possible through the user interface to add user roles that are not security groups; however, they are ignored. Examples of invalid user roles when using Active Directory include:

• Active Directory user accounts
• Built-in database user roles (for example, fmeadmin)

Troubleshooting

Active Directory-based security might be easier to set up in some server environments, due to the high degree of variability of the security hierarchy. If you are having difficulty configuring FME Server's security framework to use Active Directory, check the following troubleshooting tips for options.

Enabling Debug Logging

Enabling debug logging for FME Server's security framework allows more verbose logging during many Active Directory operations. Examining log messages might provide insight into the failing operation.

1. Open the FME Server configuration file, fmeServerConfig.txt, located in the subdirectory Server of your FME Server install directory.
2. Under the Security heading, locate the parameter SECURITY_DEBUG and set it to true.

3. Restart FME Server.

   For more information, see Starting and Stopping FME Server.

4. Examine the log files for additional information pertaining to Active Directory operations.

Safe Software Inc. www.safe.com