Applies to:
Kyvos Enterprise Kyvos Azure Marketplace
Kyvos AWS Marketplace Kyvos Free (
From Kyvos 2023.3 onwards, you can see the last performed Kyvos Authentication operation details, including progress status and start time, by clicking the i icon located next to the Revert button. To view more comprehensive details, simply click the View Details link, which will take you to the Operations page where you can view the operation information in detail.
Use this page to configure authentication type governing user login for the Kyvos web portal.
- From the Authentication Type, select the one that you want to use.
- KYVOS NATIVE: Select this option to authenticate only the User Login details by Kyvos.
REMOTE AUTHENTICATION SYSTEM: Select this option to choose LDAP or Kerberos for authentication.
The fields shown in the following figure are displayed ONLY if you select the REMOTE AUTHENTICATION SYSTEM option with LDAP as Authentication Type.
If you have selected the Kyvos Native option, then specify the type of user that will be created on the first-time login from the management portal using the Default Authentication Type for Newly Created User. You can choose from LDAP and Kyvos Native options.
Important
If you are using Kerberos configured Hadoop, then KYVOS NATIVE Authentication Type does not work for Kyvos Authentication.
In this case, you must edit the kyvosmanager\bin\env.sh file to set the HADOOP_SECURITY_TYPE=KERBEROS property.
You must also edit the krbToken.sh file at kyvosmanager\bin\, olapengine\bin, and queryengine\bin locations to provide the Kerberos token generation command, such as kinit <%ketab_location\key_tab_filename%> <%principal_name%>, after the sample command provided in krbToken.sh file. You MUST restart all components including Kyvos Manager after providing this information.
LDAP and Kerberos configuration
If you have selected the Remote authentication system, specify the Authentication System to use from LDAP and Kerberos, and enter details as mentioned in the table below.
The fields mentioned in this table vary according to the chosen Authentication System.
The fields mentioned in this table vary according to the chosen Authentication System.
Settings
Parameter/Field
Comments/Description
LDAP Settings
Alias
Specify a unique alias name for the LDAP account.
Directory Type Select the directory type from the list. Referral Mode
Select the mode for the service providers to indicate how to handle referrals.
- Ignore: Ignore referrals.
- Follow: Automatically follow any referrals.
- Throw: Throw a Referral Exception error for each referral.
Host Name
Enter the hostname or IP address of the authentication directory server.
Port Enter the port on which the directory server is listening. User DN Enter a unique name for the user that the application will use when connecting to the directory server.
For example, cn=user,dc=domain,dc=name for user@domain.name.Password Enter the password for the user.
NOTE: If not specified, the last provided password will be used. To change, enter a new password.Use Secure Layer
Select this check box if SSL is configured. You will have to upload the SSL certificate for this.
SSL Certificate
Upload the SSL certificate file for use with the authentication directory.
Schema Settings
Base DN
Enter the name that the application will use when connecting to the directory server.
If you are searching for users in the Admin department of example.com, then the Base DN would be dc=example,dc=com, and the User DN would be cn=admin,dc=example,dc=com.
If you have a group within in the admin called ITadmin, then the User DN would be cn=admin,ou=ITadmin,dc=example,dc=com.
Additional Group DN
Enter the additional group DN details (if any).
Additional User DN
Enter the additional user DN details (if any).
Group Filter
Enter the details of group filters (if any).
User Filter
Enter the details of user filters (if any).
Specify the sync level for the user group from:
- Bootup: The system searches for changes at every bootup and syncs the users with the LDAP directory.
- Incremental: The system search for changes whenever new data comes in and syncs the users with the LDAP directory.
- Never: The system does not sync user information from the LDAP directory.
NOTE: If User Group Sync Level is set to Incremental, any changes to LDAP Password, User Filter, and Group Filter will not require BI Server restart.
Show sync and timeout settings Click to specify the sync and timeout settings:
- Import Users As: Select the default role for all users being imported from the LDAP.
- Read Timeout: Specify the timeout interval (in seconds) for reading data from LDAP.
- Search Timeout: Specify the timeout interval (in seconds) for searching new data from LDAP.
- Connection Timeout: Specify the timeout interval (in seconds) for connecting to the LDAP directory.
- Custom Attributes: If needed, add custom attributes for users being imported from LDAP.
Kerberos Settings
Server
Enter the hostname or IP address of the Kerberos server.
Realm
Enter the hostname or IP addresses of the Kerberos realm nodes. A Kerberos realm is a set of managed nodes that share the same Kerberos database
Mode
Select the login mode for Kerberos from:
- You can also define multiple LDAP accounts. For this, click on the left.
- You can also duplicate an existing LDAP configuration, for this use the Duplicate option, as shown.
- Click the Validate button to authenticate and verify the LDAP configurations. For multiple LDAP accounts, you also use the Validate All button from the three-dots menu to validate all the LDAP accounts at once.
Single Sign On configuration
To enable Single Sign On, select the corresponding check box; and define the Single Sign On Configuration as follows.
Parameter/Field Comments/Description Single Sign-On Provider Select the provider to be used to perform SSO. Bind Address Enter the machine name where this computer account has been created. DNS Servers IPs Comma-separated list of DNS Server IPs. Computer Account Name JESPA, as an SSO provider, needs a computer account name for system authentication against the active directory. Computer Account Password Enter the password for the computer account name mentioned above. jespa jar Upload the JESPA jar file. Kyvos uses this to perform SSO using JESPA. You can download the jar from https://www.ioplex.com/downloads.php
jcifs jar Upload the JCIFS jar file. Kyvos uses this to perform SSO using JESPA. You can download the jar from https://jcifs.samba.org/src
- Click the Validate JESPA Configuration button to verify that the JESPA settings mentioned are correct.
Kerberos SSO configuration
To enable Enable Kerberos SSO, select the corresponding check box; and define the configuration as follows.
Parameter/Field Comments/Description Service Principal Kerberos principal is a unique identity to which Kerberos can assign tickets. It follows the primary/instance@REALM format.
Define it as:
- Service: In the case of a user, enter your username. For a host, use the word host.
- FDQN: Optional string qualifying the primary. For a host, use a fully qualified hostname, such as John.abc.com. For a user, the instance is usually null, but a user might also have an additional principal, with an instance called admin, which he/she uses to administrate a database. The principal John@EXAMPLE.COM is separate from the principal john/admin@EXAMPLE.COM, with a different password, and separate permissions.
- Realm: Your Kerberos realm can be your domain name, in upper-case letters. For example, the machine abc.example.com would be in the realm EXAMPLE.COM.
KRB5 File The krb5.conf file contains Kerberos configuration information, including Kerberos realms, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Keytab Select the Upload file or File path option. Keytab File Upload your Keytab file to be used for authentication or provide its path. 