Configuration of AVIX Server

Overview

Instructions on how to configure an AVIX Server to be able to auto-synchronize configured LDAP Groups in the access control system in AVIX.

Initial Server Setup

Install AVIX Server

Download the installer from Solme Community or go directly to the latest AVIX v5.1 release here. The Solme Community requires an account that can be requested via instruction found here.

Run the installer "AVIX v5.1.XX (64-bit).exe" to install the AVIX server. By default it is installed in the folder "C:\Solme AB\AVIX Server" and should look similar to this (content may vary a bit).

Configure AVIX Server

To be able to use the auto synchronization of LDAP Groups, some things need to be configured on the AVIX Server to make that possible. Configurations can be done in the configuration/se.solme.avix.prefs file. There is a file example.se.solme.avix.prefs in the same folder that can be used as a template if a new se.solme.avix.prefs-file is needed.

When all configurations have been made, restart the AVIX Server to make them apply.

Configuring LDAP Server

The AVIX Server will need to have a way to find the domain controller that should be used as a synchronization source for LDAP Groups. A domain server can sometimes be found automatically without any extra configuration if the AVIX Server is run by a domain user, but if that is not the case, an explicit server should be configured. The default user that run the AVIX Server when it is installed as a service is the Local Service user (NT AUTHORITY\LocalService) which is a local user and not a domain user.

The preference that controls the domain server setting in the se.solme.avix.prefs-file belongs to the se.solme.avix.security scope and has the key LOGON_SERVER.

[se.solme.avix.security]
LOGON_SERVER=server.company.com

Main LDAP preferences

This is a list of the most commonly used LDAP related preferences. These are not only of use for AVIX Server, but also for AVIX Desktop where they come into play when working with LDAP groups in the security view.

Preference Scope	Key	Description
se.solme.avix.security	LOGON_SERVER	LDAP server to use. Can be specified with or without scheme+port. Examples: LDAPServer ldap://LDAPServer:389 ldaps://LDAPSServer:636
se.solme.avix.security	LDAP_DEFAULT_SCHEME	[Since ~~AVIX5~~AVIX ~~v1.17.0]~~v5.1.17] Specifies which scheme generated LDAP uri's should use. Generated LDAP uri's are used for LDAP server values that does not contain scheme. Allowed values are ldap ldaps Default value is ldap *Example: Provided LDAP server is LDAPServer, default scheme is ldap*, no LDAP_PORT is set Generated LDAP uri then become ldap://LDAPServer:389
se.solme.avix.security	LDAP_ALLOW_UNENCRYPTED_FALLBACK	[Since ~~AVIX5~~AVIX ~~v1.17.0]~~v5.1.17] Specifies if an attempt should be made to use unencrypted LDAP as a fallback when the startTLS call fails for a LDAP connection. Only active when LDAP server scheme is ldap (not ldaps) Allowed values are true false Default value is false
se.solme.avix.security	LDAP_PORT	Port that generated LDAP uri's will get when the ldap-scheme is active Allowed value is a a number in the range (0..65535] Default value is 389
se.solme.avix.security	LDAPS_PORT	[Since ~~AVIX5~~AVIX ~~v1.17.0]~~v5.1.17] Port that generated LDAP uri's will get when the ldaps-scheme is active Allowed value is a a number in the range (0..65535] Default value is 636

Configuring LDAP Credentials

To be able to read domain user data, a set of credentials must be provided. By default this is read from a file auth.txt in the root of the AVIX Server installation.

This auth.txt file should be a text file containing domain user credentials, ~~One~~one set of credentials per row. Multiple rows are ~~allowed,~~allowed and they are used from top to bottom until one works. It is recommended to only provide one valid user to make the authentication process go quicker.

Allowed credentials formats are

domain/user,password
domain,user,password

Example, auth.txt file content

COMPANY/syncuser,syncuserpassword

Since this file contains confidential credentials, it is advisable that you assign the appropriate security permissions to it. The user (account) running the AVIX server service will need Read permission to this file.

Configuring LDAP Scan Interval

By default the AVIX Server scans over all existing LDAP Groups in the access control system once every hour. This scan makes sure that all LDAP Groups that have been configured to auto synchronize will be be updated to be part of the auto ~~sychronization~~synchronization mechanism with their configured cron expression.

During initial preparations and tests a shorted interval can be of use and that can be configured in the configuration/se.solme.avix.prefs file. The preference that control this is a setting that belongs to the se.solme.avix.security.storage scope and the key is avix.scheduler.storagescan.cronexpr. The value should be a Quartz cron expression - see https://www.quartz-scheduler.org/documentation/quartz-2.3.0/tutorials/crontrigger.html for details.

Example, fire scan every 2 minutes.

[se.solme.avix.security.storage]
avix.scheduler.storagescan.cronexpr = 0 0/2 * * * ?

It is recommended to go back to a less frequent schedule for cron expressions used on LDAP Groups when moving closer to production as frequent execution of LDAP queries may be taxing for domain controllers.
Scan expression in the se.solme.avix.prefs file should also be less frequent, but scanning it every couple of hours should be fine even in production.