Stratus 3.9 Single-Sign-On with ActiveDirectory and NTLM

This document provides a draft instruction for enabling directory-based authentication/authorization (ActiveDirectory or LDAP) and single sign-on with NTLM.

Notes:

- this document describes ActiveDirectory specifics, filters will need to be changed if using other LDAP implementations
- this document assumes Domain name to be “win2008”, AD server to be “win2008” and DNS suffix to be “dev.videonext.net”, so relevant parts would need to be changed for the actual environment in use

Top-level view on components interaction:

1. Client browser makes an HTTP request to STRATUS server (login page)
2. STRATUS server uses HTTP mechanisms to determine if the client browser is opened from the computer logged in into Windows Domain and if it does, checks if it is secured
3. STRATUS login page is pre-populating username with the one recognized from Windows Domain, disables password entry and expects the user to click on “Login” button
4. STRATUS looks up the user in Directory and authenticates the session
5. STRATUS looks up user groups in Directory to determine Roles granted to the user
   Note: Roles are mapped to Directory Groups within STRATUS Admin GUI
6. From this point, STRATUS user works with GUIs “as usual” within its permissions

Step-by-step guide

1. Prerequisites

1. STRATUS server having version 3.9.3+ installed

2. Windows Domain configured

3. Active Directory configured

4. An account (username/password) created in ActiveDirectory with permissions to search for users and groups

2. Configuration steps

1. Install additional packages to STRATUS server:
   yum install mod_auth_ntlm_winbind samba-winbind samba-winbind-clients samba-client

2. [Optional] if DNS is not in place, add ActiveDirectory and PDC servers into STRATUS’ /etc/hosts file
   Ex: 207.207.163.187 win2008.dev.videonext.net win2008 PACSLAB.win2008.dev.videonext.net

3. Configure “winbind”: edit /etc/samba/smb.conf, [global] section:
   workgroup = WIN2008
   realm = WIN2008.DEV.VIDEONEXT.NET
   security = ADS

4. Test configuration to be valid:
   testparm -s

5. Make STRATUS to join domain:
   net ads join -S win2008.dev.videonext.net -U domain_admin
   usermod -G wbpriv apache

6. Set services for auto-start, reload configuration
   systemctl enable winbind
   systemctl restart winbind
   systemctl restart httpd

7. Configure ActiveDirectory settings in STRATUS:
   LDAP authentication - YES
   Directory server - win2008.dev.videonext.net
   Directory server port - 389
   Authentication - password
   Login username - domain_admin
   Login password - domain_password
   User search base template - CN=(0),CN=Users,DC=win2008,DC=dev,DC=videonext,DC=net
   Group search base - DC=win2008,DC=dev,DC=videonext,DC=net
   Group search filter - (objectClass=group)
   Group membership template - (&(objectClass=group)(member=CN=(0),CN=Users,DC=win2008,DC=dev,DC=videonext,DC=net))
   
   

8. Configure roles in STRATUS to map to ActiveDirectory Group:
   open “Settings - Credentials - Role manager”, create role and associate it with role from Active directory in LDAP tab:
   
   

Related articles

• Page:
  Enable Lenel intergation in Stratus (Old - For OnGuard 6.5 Only)
• Page:
  VCA local licenses management with Stratus 3.9
• Page:
  Installing Dependencies in Stratus 3.9.43 or higher
• Page:
  How to Delete Camera from Stratus
• Page:
  How to check camera type in Stratus