Kerberos Authentication¶
Virtual DataPort provides support to authenticate its clients using the Kerberos authentication protocol, which is the default authentication method used in Microsoft Windows networks (i.e. networks using Microsoft Active Directory). The benefits of enabling Kerberos are:
Single sign-on: the clients of Virtual DataPort will not have to provide its user credentials. E.g. when you launch the Administration Tool, users will not have to enter their credentials and neither JDBC clients.
The authentication of users is delegated to Active Directory. This simplifies the management of users and their privileges, compared to having to create all the users in Virtual DataPort and manage their passwords.
If you are interested in delegating the authentication of users to Active Directory, but not on single-sign on, create databases with LDAP authentication, which are easier to set up than Kerberos. To enable Kerberos, you have to create a new user in Active Directory, create a Service Principal Name, create a keytab file, etc. Whereas creating a database with LDAP authentication does not require any configuration change.
The section LDAP Authentication explains how to enable the LDAP authentication.
When you enable Kerberos in Virtual DataPort, the following users are still able to connect using the regular authentication method:
Users created locally in Virtual DataPort.
Users that connect to a database with LDAP authentication that use their credentials in the LDAP directory.
Before configuring Kerberos, you have to perform the post-installation tasks described in the section Setting-up Kerberos Authentication of the Installation Guide. Then do the following from the Administration Tool:
Create the roles for the users: see section Creating the Roles of the Virtual DataPort Users.
Create an LDAP data source that connects to the Active Directory of your organization: see section Creating an LDAP Data Source.
Set up the Kerberos authentication: see section Setting-Up the Kerberos Authentication in the Virtual DataPort Server.
Configure the Administration Tool to use Kerberos authentication: see section Configuring the Administration Tool to Use Kerberos Authentication.
Defining Session attribute mapping: you can define a mapping between LDAP attributes from the authenticated user and attributes which will be added to the user session. The name on Virtual DataPort is represented by Session Attribute column, and the name at the LDAP is the one specified on Authentication Attribute.
Global LDAP: the user session will contain the attribute mappings defined at Enabling Global LDAP Authentication for the Virtual DataPort Server configuration.
Custom LDAP: Virtual DataPort will search on the custom LDAP for the attributes used by the mappings defined in this section.
For example, if the LDAP user has an attribute department, you can create a mapping to a user_department Session Attribute which will be added to the user session on Virtual DataPort. The user_department attribute is accessible to functions such GETVAR and to the Global Security Policies as attribute of the user’s session.
Note
The feature LDAP roles cache may improve the time spent authenticating/authorizing the users that log in to Virtual DataPort with Kerberos authentication.