Tag: LDAP

Categories
exacqVision Client exacqVision Server

LDAP connection requirements

Description:-

In order to succeed in the remote client authentication via LDAP, We will need to make sure that we have the following three points.

  • ExacqVision Server uses an enterprise license and is connected to an AD/LDAP server.
  • ExacqVison Client is able to reach the Exacq Server via port 22609, and the LDAP via port 636 if LDAP with SSL or 389 if LDAP without SSL.
  • Active Directory server can reach the Exacq Server and Exacq Client workstation.

The way Kerberos tickets work is that we need all three points able to see and connect to each other, so we need to check these requirements before establishing the Exacq client connection to the Exacq server via the SSO method.

Categories
Knowledge Support Documentation Support exacqVision Client exacqVision Server Products

ExacqVision Server and Client support LDAP authentication with Azure Active Directory

Azure Active Directory supports the LDAP interface when properly configured, and therefor LDAP can be used to sync the ExacqVision software stack with the Azure AD instance.

Background Information: Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), Video Management Software (VMS – ExacqVision), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory ( sometimes referred to as Azure AD) supports this pattern via Azure AD Domain Services (sometimes referred to as AD DS). It allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources to the cloud. ExacqVision has supported the use of LDAP authentication since early versions, and now has been enhanced to support the use of LDAP authentication when being integrated with Azure Active Directory as a modern solution to cloud based computing.

When a network hosting ExacqVision Server on-premise has been properly configured for communication with an Azure Active Directory instance by verifying no port restrictions or other environmental variables inhibit communication – ExacqVision Server & Client have the ability to support the use of LDAP authentication with Azure Active Directory as of December 15th, 2022 – and subsequent releases thereafter.  

Products 

  • ExacqVision Server Software version 22.12.5.0 and up
  • ExacqVision Client version 22.12.2.0 and up

Minimum Requirements for ExacqVision Server and Client software: 

  • Server and Client versions must be 22.12 or later
  • Your ExacqVision Server must have an Enterprise license to interact with Azure AD.
  • Your network configuration must be properly configured to communicate with your Azure AD instance
  • To configure Azure Active Directory integrations on an ExacqVision Server, you must have Azure Active Directory credentials with access to the following Active Directory parameters as supplied by your Local IT Department or Network Administrator: objectClass (specifically “group” & “user”), userPrincipalName,  sAMAccountName,  inetOrgPerson, krbPrincipalName

Configuration steps for ExacqVision Server and Client software: 

  • Properly configure the network to communicate with Azure Active Directory instance without restriction.
  • Verify you possess the minimum credential requirements needed to complete the integration as listed above (supplied by your Local IT Department or Network Administrator) and then log into the Client with administrative privileges
  • Navigate to Enterprise > ActiveDirectory/LDAP. Enable Directory Service and add the Azure AD Instance address in the Server Address field with the proper Port number, proper setting for USE SSL, Base DN and Bind account information in the corresponding fields – as supplied by your Local IT Department or Network Administrator NOTE: It is recommended to enable “Permission to Create SPN” when using Azure Active Directory LDAP authentication.
  • Apply the Changes.

Expected Results 

The above steps when executed properly will sync with the Azure AD Instance, allowing LDAP authentication in ExacqVision Client & Server.

For more information on how to configure ExacqVision for use with LDAP authentication please see the ExacqVision Client User Manual.

Categories
Configuration Knowledge Support Documentation exacqVision Enterprise Support exacqVision Client exacqVision Server Products exacqVision Integrations Uncategorized

Enterprise Manager supports LDAP authentication with Azure Active Directory 

Azure Active Directory supports the LDAP interface when properly configured, and therefor LDAP can be used to sync the ExacqVision Enterprise Manager software with the Azure AD instance.

Background Information: Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), Video Management Software (VMS – ExacqVision), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory ( sometimes referred to as Azure AD) supports this pattern via Azure AD Domain Services (sometimes referred to as AD DS). This allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources to the cloud. ExacqVision has supported the use of LDAP authentication since early versions, and now has been enhanced to support the use of LDAP authentication when integrated with Azure Active Directory as a modern solution to cloud based computing.

When a network hosting Enterprise Manager on-premise has been properly configured for communication with an Azure Active Directory instance by verifying no port restrictions or other environmental variables inhibit communication – ExacqVision Enterprise Manager has the ability to support the use of LDAP authentication with Azure Active Directory as of December 15th, 2022 – and subsequent releases thereafter.  

Products 

  • ExacqVision Enterprise Manager version 22.12.0.0 and up

Minimum Requirements for ExacqVision Enterprise Manager Software: 

  • Enterprise Manager version must be 22.12.0.0 or later
  • Your network configuration must be properly configured to communicate with your Azure AD instance
  • you must have Azure Active Directory credentials with access to the following Active Directory parameters – as supplied by your Local IT Department or Network Administrator: objectClass (specifically “group” & “user”), userPrincipalName , sAMAccountName , inetOrgPerson , krbPrincipalName

Configuration Steps for Enterprise Manager: 

  • Properly configure the network to communicate with Azure Active Directory instance without restriction.
  • Verify you possess the minimum credential requirements needed to complete the integration as listed above (supplied by your Local IT Department or Network Administrator) and login to Enterprise Manager user interface with administrative privileges
  • Navigate to the Domain settings page
  • Under “Add Domain” enter the address of the Azure Active Directory instance in the “Hostname or IP” field and enter the above mentioned credential criteria with the proper port number, security protocol, Search Criteria information, and Attribute names information in their corresponding fields – as supplied by your Local IT Department or Network Administrator
  • Apply the changes.

Expected Results 

The above steps when executed properly will sync with the Azure AD Instance, allowing LDAP authentication in ExacqVision Enterprise Manager.

For more information on how to configure ExacqVision Enterprise Manager for use with LDAP authentication please see the ExacqVision Enterprise Manager user manual.

Categories
Knowledge Support Support exacqVision Client

LDAP Users Cannot Create User Views

Title

LDAP Users Cannot Create User Views in Exacqvision Client  

Description 

Users logged in using LDAP cannot create user views in the exacqVision Client  

Product 

exacqVision Client  

Steps to Reproduce 

  • Login in as a exacqVision (not LDAP) user
  • Create a user view if there aren’t any
    • There needs to exist at least one user view for a non-LDAP user first
  • Login to the client as an LDAP user
  • Highlight User View and then click new
  • Add a camera and name the view
  • Click on Apply
  • View disappears either immediately or when you navigate away from page

Expected Results 

  • View is created 

Actual Results 

  • View is not created

Solution

  • The defect has been found and the fix will be available in exacqVision Client 22.06.xx.  
  • Current workaround is to create the view under System View instead
  • There is also a build available, version 22.03.102
  • See trac ticket #23444 for additional details

Categories
Knowledge Support Support exacqVision Server exacqVision Hardware exacqVision Integrations

AES encryption method support for the LDAP connection

ExacqVision Server software is not supporting the AES encryption method in the connection with LDAP earlier than version 21.12.6

If you are using an earlier version of the ExacqVision Server, you will be able to communicate with LDAP using the RC4 encryption method only

To determine if you are using the AES encryption or not.

Check the logs from Exacq server for the StreamPi plugin, and if you are using the AES encryption and the Server is not able to decode it then it would show you these logs

StreamPI   Warning   Encryption type: aes-cts-256-sha1-96 (occurs 58811 times)
StreamPI   Warning   Unable to decode encrypted ticket (occurs 33140 times)
StreamPI   Warning   Unable to decode encrypted element (occurs 22007 times)

Another method to check

From the Active directory in the DC, go to the binding user and right-click on it then properties, then navigate to the Account tab

If you are using the AES encryption, then you should have the AES 128 or AES 256 or both checked

Categories
Software Categories exacqVision Client MacOS Knowledge Support Support exacqVision Client Categories Products

Mac Clients having issues connecting to LDAP

Encountered on : Ventura 13.5 and above

We need to make sure that the client machine is Joined to the Domain via the GUI method using the instruction in the following link from Apple.

https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac

Encountered on : BIG SUR 11.4
Behavior: MAC Clients are not able to connect to the Domain Using LDAP only.

We need to make sure that the client machine has the krb5.conf file locally along with the krb5.key.

Below is an example of the server default file of the krb5.conf file.
Please note that this is an example and that your information would need to be entered in for the default realm instead of EXACQ.COM.
This file can be placed in the /etc/krb5.conf.
NOTE:
This file would need to be on both linux and Mac units.

Below are a few links to assist with configuration of the krb5.conf file for Mac OS.

http://web.mit.edu/macdev/KfM/Common/Documentation/preferences-osx.html

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

https://stackoverflow.com/questions/52409808/macos-sierra-kerberos

Categories
Knowledge Support Support exacqVision Client exacqVision Server Categories

Setting the listed LDAP group on Exacq as the primary group for a specific user will not allow the user to log in

If you have an LDAP group that is listed on Exacq and set this group as the primary group for a specific user, this user will not be able to log in on Exacq Software.

The workaround for this issue:

  1. Setting another group as an admin for this user.
  2. Adding another group in which that user is a member.
  3. Adding this LDAP user to the ExacqVision users.

<br>

Categories
Knowledge Support exacqVision Enterprise Support Categories Products

LDAP user First time logging in from client to ESM results in Error

Description

From the client’s “Synchronize with ESM” page, using an LDAP username and password results in ‘Check your URL’ error. This happens even though the LDAP domain and group associations (with ESM access) is correctly configured on ESM.

<br>

Tested version

4.8.2

<br>

Platform

All

<br>

Steps to reproduce

  • Create a domain and associations on ESM with “ESM access” enabled
  • From client’s “Synchronize with ESM” page, use a username and password belonging to the LDAP domain
  • Click Apply

<br>

Expected result

The client shows ‘Connected’ and downloads the server list from ESM.

<br>

Actual result

The client shows ‘Check your URL’ error message dialog box.

<br>

Work around

The work around is to attempt the same action twice from the client. The client does not enable the ‘Apply’ button unless one of the parameters changes. So in order to attempt the same action again, the user will have to modify one of the parameters and revert it back.

Another option is to login to ESM using the same credentials and then attempt to do the sync action from client.

Categories
Documentation Quick Start Guides exacqVision Server Categories Products

exacqVision Server/Client OS: Windows Open LDAP

exacqVision-Server_Client-OS_-Windows-Open-LDAP.pdf
Categories
Knowledge Support Support exacqVision Server Categories Products

Automatic creation of Service Principal Name (SPN)

Starting with exacqVision 7.2, the server has the ability to automatically create its own service principal name (SPN). A valid SPN is required in order to enable single-sign-on. To enable this feature:

  1. Check the box next to “Permission to create SPN” on the LDAP/Active Directory settings page.
  2. Verify with your domain admin that the bind account has permissions to create service principal names. If not, this can be granted with the following command by the domain admin:

<br>

Automatic-creation-of-Service-Principal-Name-SPN.pdf