Follow

Enabling Active Directory for Orchid Fusion

NOTE: Active Directory is supported only in Orchid Fusion 2.0.0 or later.

 

Prerequisites

To configure Orchid Fusion to work with Active Directory, you will need to have an Active Directory server that is:

  • Reachable from your Orchid Fusion server
  • Contains at least one Active Directory user who is a member of at least one Active Directory group

 

Required Configuration Properties

To configure Orchid Fusion, edit the fusion.properties file found in either:

  • C:\Program Files\IPConfigure\Fusion\conf\fusion.properties
  • /etc/opt/fusion/fusion.properties

Set the following properties before restarting your Orchid Fusion server:

  • authentication.mode=active.directory
  • authentication.active.directory.servers=<domain>|<domainServerAddress>
  • authentication.active.directory.admin.groups=<domain>\\<group>

Here is a snippet of an example fusion.properties file with Active Directory enabled for the domain ‘malibu.beach’ with server address ‘192.168.105.46’ and specifying users in the the ‘FusionAdmins’ Active Directory group to have Orchid Fusion administrator access.

authentication.mode=active.directory
authentication.active.directory.servers=malibu.beach|192.168.105.46
authentication.active.directory.admin.groups=malibu.beach\\FusionAdmins

 

In this example, the following screenshot shows a user ‘FusionAdmin’ who is a member of the group ‘FusionAdmins’ on the ‘malibu.beach’ Active Directory server:



Logging in using Active Directory

After restarting the Orchid Fusion server and reloading Orchid Fusion in your browser, log in using your Active Directory username and password using the email style notation <userid>@<domain>:



 

Configuring Active Directory Groups in Fusion

Once logged in, to configure additional Active Directory groups, navigate to ‘Permission Groups’:

You will see some example permission groups with no Active Directory group mappings and a Fusion Administrator group for your domain.

 

If you edit the domain admin group, you will see the Active Directory Group Mappings for your domain, e.g.:

In this example, any user who is a member of the Active Directory group ‘FusionAdmins’ will be able to log into Orchid Fusion and be granted Orchid Fusion administrator access. Note that nested Active Directory groups are supported, so if ‘FusionAdmins’ had ‘DomainAdmins’ as a member, any user in the ‘DomainAdmins’ group will be able to log into Orchid Fusion with administrator access.

In this second example, the Active Directory groups ‘Viewers’ and ‘Testers’ are mapped into the Orchid Fusion Live Viewer group which only grants Live view access (no playback):

Note that it is possible for an Active Directory user to be a member of many groups. Orchid Fusion will check all group mappings for that user and all permissions granted by any Orchid Fusion group will be granted to the user. So, an example an Active Directory user who is a member of Viewers and FusionAdmins, will be granted Orchid Fusion administrator access.

 

Troubleshooting

If your administrator Active Directory user is unable to log in, but you believe the mappings have been configured correctly, check the fusion.log file on the Orchid Fusion server found in:

  • c:\Program Files\IPConfigure\Fusion\logs\fusion.log
  • /var/logs/fusion/fusion.log

During server startup the list of the configured Orchid Fusion administrator Active Directory mappings are logged, e.g.:

14:33:46.804 [main] INFO  c.i.f.i.Init03ActiveDirectoryAdminGroupsInitializer - Administrator active directory groups: malibu.beach\\FusionAdmins

Also, a failed login attempt will show the list of Active Directory groups they are a member of, e.g.

14:32:48.888 [XNIO-1 task-21] INFO  c.i.f.u.a.ActiveDirectoryAuthenticator - Active directory user: nofusionaccess@malibu.beach successfully authenticated with domain: malibu.beach server address: 192.168.105.46 but failed to authenticate with Fusion because the user is not a member of any active directory groups authorized by Fusion.

nofusionaccess@malibu.beach is a member of active directory domain: malibu.beach groups:
malibu.beach\\Developers
malibu.beach\\Domain Users
Fusion has authorized domain: malibu.beach groups:

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk