Configuration of AVIX Server
Overview
Instructions on how to configure an AVIX Server to be able to auto-synchronize configured LDAP Groups in the access control system in AVIX.
Initial Server Setup
Install AVIX Server
Download the installer from Solme Community or go directly to the latest AVIX v5.1 release here. The Solme Community requires an account that can be requested via instruction found here.
Run the installer "AVIX v5.1.XX (64-bit).exe" to install the AVIX server. By default it is installed in the folder "C:\Solme AB\AVIX Server" and should look similar to this (content may vary a bit).
Configure AVIX Server
To be able to use the auto synchronization of LDAP Groups, some things need to be configured on the AVIX Server to make that possible. Configurations can be done in the configuration/se.solme.avix.prefs file. There is a file example.se.solme.avix.prefs in the same folder that can be used as a template if a new se.solme.avix.prefs-file is needed.
When all configurations have been made, restart the AVIX Server to make them apply.
Configuring LDAP Server
The AVIX Server will need to have a way to find the domain controller that should be used as a synchronization source for LDAP Groups. A domain server can sometimes be found automatically without any extra configuration if the AVIX Server is run by a domain user, but if that is not the case, an explicit server should be configured. The default user that run the AVIX Server when it is installed as a service is the Local Service user (NT AUTHORITY\LocalService) which is a local user and not a domain user.
The preference that controls the domain server setting in the se.solme.avix.prefs belongs to the se.solme.avix.security scope and has the key LOGON_SERVER.
[se.solme.avix.security]
LOGON_SERVER=server.company.comConfiguring LDAP Credentials
To be able to read domain user data, a set of credentials must be provided. By default this is read from a file auth.txt in the root of the AVIX Server installation.
This auth.txt file should be a text file containing domain user credentials, One set of credentials per row. Multiple rows are allowed, and they are used from top to bottom until one works. It is recommended to only provide one valid user to make the authentication process go quicker.
Allowed credentials formats are
- domain/user,password
- domain,user,password
Example, auth.txt file content
COMPANY/syncuser,syncuserpasswordSince this file contains confidential credentials, it is advisable that you assign the appropriate security permissions to it. The user (account) running the AVIX server service will need Read permission to this file.
Configuring LDAP Scan Interval
By default the AVIX Server scans over all existing LDAP Groups in the access control system once every hour. This scan makes sure that all LDAP Groups that have been configured to auto synchronize will be be updated to be part of the auto sychronization mechanism with their configured cron expression.
During initial preparations and tests a shorted interval can be of use and that can be configured in the configuration/se.solme.avix.prefs file. The preference that control this is a setting that belongs to the se.solme.avix.security.storage scope and the key is avix.scheduler.storagescan.cronexpr. The value should be a Quartz cron expression - see https://www.quartz-scheduler.org/documentation/quartz-2.3.0/tutorials/crontrigger.html for details.
Example, fire scan every 2 minutes.
[se.solme.avix.security.storage]
avix.scheduler.storagescan.cronexpr = 0 0/2 * * * ?It is recommended to go back to a less frequent schedule for cron expressions used on LDAP Groups when moving closer to production as frequent execution of LDAP queries may be taxing for domain controllers.
Scan expression in the se.solme.avix.prefs file should also be less frequent, but can scanning it every couple of hours should be fine even in production.