This page describes how to synchronize Orbit Users and User Groups with Microsoft Active Directory.
In order to synchronize Orbit and a corporate Active Directory, the proper settings for the Orbit Enterprise Service must be defined.
It is up to the customer to decide which user groups will be able to access the Orbit software, and which users will be assigned to each usergroup. Before customizing Orbit, these usergroups must be created in the Active Directory.
Active directory existing user groups must be replicated in the EOS. From several groups existing in a corporate Active Directory, only the ones replicated in the EOS will be able to access the Server or the Orbit Clients.
At least two groups from the Active Directory must exist in Orbit also:
To create and manage Usergroups in orbit see: EOS Console > Users and User Groups
These two usergroups are mandatory. For different tasks, several other user groups may be created, permissions can be granted for each of them, see: EOS Roles and Permissions
Different workspaces must be created for all usergroups created in the User and Usergroups tab. Accessibility to these workspaces must be assigned to the prior created usergroups.
To create and manage the Workspaces see: EOS Console > Workspaces
When synchronizing Orbit with Active Directory, one usergroup can access only one workspace, and one workspace can be associated with only one usergroup.
The result of the AD synchronization will be the following:
Configurations for using Active Directory requires a well prepared EOS Console Users & User Groups and Workspace setup.
After completing the EOS Console configurations, Stop the Orbit EOS Service, edit the described configuration files and Restart the Orbit EOS Service to take advantage of the updated Active Directory configurations, see Orbit Enterprise Service.
the file “\server\program\services\system_user\usergroups.ini” should look like:
# # Usergroups # GROUPS= GROUP= NAME=GRP_APPL_GRIP_BEHEER DISPLAYNAME=GRP_APPL_GRIP_BEHEER USERS= GROUP= NAME=GRP_APPL_GRIP_TEST DISPLAYNAME=GRP_APPL_GRIP_TEST USERS= #<EOF>#
Name of the administrator group ( first one) or name of a user group , preexistent in your AD. Name is formed from prefix and name ( eg : GRP_APPL_GRIP- prefix, TEST - name)
Configure the Lightweight Directory Access Protocol:
<Orbit Server Installation>/server/program/config/active_directory.<AD_Name>.ini
INITIAL_CONTEXT_FACTORY com.sun.jndi.ldap.LdapCtxFactory PROVIDER_URL ldap://IpAddress:Port SECURITY_AUTHENTICATION simple SECURITY_PRINCIPAL MyDomain\\Administrator SECURITY_CREDENTIALS Password LIST_USERS_SEARCH_BASE DC=<MyDomain>,DC=<LOCAL> LIST_USERS_SEARCH_FILTER (&(objectClass=user)(objectCategory=person)) LIST_COMPUTERS_SEARCH_BASE DC=<MyDomain>,DC=<LOCAL> LIST_COMPUTERS_SEARCH_FILTER (&(objectClass=user)(objectCategory=computer)) LIST_GROUPS_SEARCH_BASE DC=<MyDomain>,DC=<LOCAL> LIST_GROUPS_SEARCH_FILTER (objectCategory=group)
URL of LDAP service 389 default port
Access mechanism, options :
none
: an anonymous loginsimple
: a standard 'plaintext' login (default)GSSAPI
: SASL mechanism (not yet supported)The name of a user with access to the AD, options :
Administrator@mydomain.com
: Windows 2000 and laterCN=Administrator,CN=Users,DC=mydomain,DC=com
: AD syntax
Security credentials of user with access to the AD
Search-base for listing all users :
DC=MYDOMAIN,DC=COM
Filter for listing all users
(&(objectClass=user)(objectCategory=person))
Search-base for listing all computers :
DC=MYDOMAIN,DC=COM
Filter for listing all computers
(&(objectClass=user)(objectCategory=computer))
Search-base for listing all user-groups
DC=MYDOMAIN,DC=COM
Filter for listing all user-groups
(objectCategory=group)
Configure the Orbit User Service:
<Orbit Server Installation>/server/program/services/system_user/service.ini
Services= Service= Name=UserService ClassName=com.orbitgis.services.user.UserService Configuration= StoreType=ActiveDirectory ActiveDirectoryName=active_directory.<AD_Name> ActiveDirectoryGroupPrefix=<AD_Prefix> AdministratorsGroupName=<AD_Name><AD_User_Group_Administrators>
Same name as the filename containing the LDAP configuration, see step 1
Prefix of the usergroup created in step 1
Name of the administrator usergroup from step 1
Configure the Desktop Client Login:
<Orbit Server Installation>/client/program/login.ini
ServerLocation dox://<Orbit_Server>:<Port_Dox>/ autologin true UserName <USERNAME> Password GroupName WorkspaceName Autologin
Location of the Orbit Server installation, by default port 1100
The use of <USERNAME> comes down to the windows login name will be used as a username. This name will be searched in the AD for the groups this user belongs. Next, there's a search for the first workspace that provides access to at least one of the groups to which the user belongs.