NOTE: Active Directory is supported only in Orchid Fusion 2.0.0 or later.
Prerequisites
To configure Orchid Fusion to work with Active Directory, you will need to have an Active Directory server that is:
- Reachable from your Orchid Fusion server
- Contains at least one Active Directory user who is a member of at least one Active Directory group
Required Configuration Properties
To configure Orchid Fusion, edit the fusion.properties file found in either:
- C:\Program Files\IPConfigure\Fusion\conf\fusion.properties
- /etc/opt/fusion/fusion.properties
Set the following properties before restarting your Orchid Fusion server:
- authentication.mode=active.directory
- authentication.active.directory.servers=<domain1>|ldap(s)://<domainServerAddress1>,<domain2>|ldap(s)://<domainServerAddress2>
- authentication.active.directory.admin.groups=<domain>\\<group> (Optional)
Here is a snippet of an example fusion.properties file with Active Directory enabled for the domain ‘malibu.beach’ with server address ‘192.168.105.46’ and specifying users in the the ‘FusionAdmins’ Active Directory group to have Orchid Fusion administrator access.
authentication.mode=active.directory
authentication.active.directory.servers=malibu.beach|ldap://192.168.105.46
authentication.active.directory.admin.groups=malibu.beach\\FusionAdmins
In this example, the following screenshot shows a user ‘FusionAdmin’ who is a member of the group ‘FusionAdmins’ on the ‘malibu.beach’ Active Directory server:
Logging in using Active Directory
After restarting the Orchid Fusion server and reloading Orchid Fusion in your browser, log in using your Active Directory username and password using the email style notation <userid>@<domain>:
Configuring Active Directory Groups in Fusion
Once logged in, to configure additional Active Directory groups, navigate to ‘Permission Groups’:
You will see some example permission groups with no Active Directory group mappings, and you may see a Fusion Administrator group for your domain.
If you edit the domain admin group, you will see the Active Directory Group Mappings for your domain, e.g.:
In this example, any user who is a member of the Active Directory group ‘FusionAdmins’ will be able to log into Orchid Fusion and be granted Orchid Fusion administrator access. Note that nested Active Directory groups are supported, so if ‘FusionAdmins’ had ‘DomainAdmins’ as a member, any user in the ‘DomainAdmins’ group will be able to log into Orchid Fusion with administrator access.
In this second example, the Active Directory groups ‘Viewers’ and ‘Testers’ are mapped into the Orchid Fusion Live Viewer group which only grants Live view access (no playback):
Note that it is possible for an Active Directory user to be a member of many groups. Orchid Fusion will check all group mappings for that user and all permissions granted by any Orchid Fusion group will be granted to the user. So, an example an Active Directory user who is a member of Viewers and FusionAdmins, will be granted Orchid Fusion administrator access.
Troubleshooting
If your administrator Active Directory user is unable to log in, but you believe the mappings have been configured correctly, check the fusion.log file on the Orchid Fusion server found in:
- c:\Program Files\IPConfigure\Fusion\logs\fusion.log
- /var/logs/fusion/fusion.log
During server startup the list of the configured Orchid Fusion administrator Active Directory mappings are logged, e.g.:
14:33:46.804 [main] INFO c.i.f.i.Init03ActiveDirectoryAdminGroupsInitializer - Administrator active directory groups: malibu.beach\\FusionAdmins
Also, a failed login attempt will show the list of Active Directory groups they are a member of, e.g.
14:32:48.888 [XNIO-1 task-21] INFO c.i.f.u.a.ActiveDirectoryAuthenticator - Active directory user: nofusionaccess@malibu.beach successfully authenticated with domain: malibu.beach server address: 192.168.105.46 but failed to authenticate with Fusion because the user is not a member of any active directory groups authorized by Fusion.
nofusionaccess@malibu.beach is a member of active directory domain: malibu.beach groups:
malibu.beach\\Developers
malibu.beach\\Domain Users
Fusion has authorized domain: malibu.beach groups:
Comments
1 comment
Is it possible to use the UserPrincipalName field instead of sAMAccountName?
Please sign in to leave a comment.