Add an AD Server

The basic steps to add an AD server are as follows:
  1. Configure the AD server: Set basic information and configuration information about the AD server.
  2. Synchronize mapping rules: Set the login attribute, and the user/organization mapping between AD and the cloud.
  3. Confirm and submit the configurations: Check the configured information about the AD server. Note that you can go back to the previous step by clicking the Edit icon to modify the configurations.
The following is an example of adding an AD server to the cloud.
Table 1. AD server configuration
Parameter Example Value
Primary Server IP/Domain 172.20.198.187
SSL/TLS Encryption Supported
Primary Port 636
Base DN dc=adtest,dc=zs
User DN CN=Administrator,CN=Users,DC=adtest,DC=zs
Password password
Filter Rule (&(name=filterName)(description=departure))
Table 2. User mapping rule
Parameters in the Cloud AD Parameters
Login Attribute cn
User Name cn
Name name
Phone Number telephoneNumber
Mail mail
Identifier employeeID
Description description
Table 3. Organization mapping rule
Parameters in the Cloud AD Parameters
Mapping Type Group
Name cn
Description description
  1. Configure the AD server: Configure basic information about the AD server.
    1. In the navigation pane of the ZStack Private Cloud UI, choose Advanced Function > Enterprise Management > 3rd Party Authentication.
    2. Click Add AD/LDAP Server.
    3. In the Server Type field, select AD.
    4. Configure the following parameters:
      • Basic Information
        • Name: Enter a name for the AD server.
        • Description: Optional. Enter a description for the AD server.
        • Primary Server IP/Domain: Enter the IP address or domain name of the primary server.
        • SSL/TLS Encryption: Specify whether to enable SSL/TLS encryption. The checkbox is selected by default.
          • When selected, SSL/TLS encryption is enabled, and the port number is 636 by default. You can customize the port number as needed.
          • When cleared, SSL/TLS encryption is not enabled, and the port number is 389 by default. You can customize the port number as needed.
        • Primary Port: Enter the port number of the primary server.
        • Secondary Server IP/Domain: Optional. Enter the IP address or domain name of the secondary server.
        • Secondary Port: Optional. Enter the port number of the secondary server.
      • Configuration
        • Base DN: Enter the base DN. It specifies the point from which to search for an AD user or an AD organization.
        • User DN: Enter the user DN. It specifies the user that can search for all users under the base DN.
        • Password: Enter the login password of the corresponding user under the user DN.
        • Filter Rule: Set the filter rule to filter out users that not to be synchronized under the base DN.
          Note:
          • The length of the filter rule is determined by the AD server configuration. Note that the filter rule will be invalid if it is longer than the allowed length.
          • The syntax of the filter rule follows that of the AD filter rule. For example, if the filter rule is (&(name=Bob)(description=departure)), it means to filter out the user or users named Bob with description departure under the base DN. For more information about the AD filter rule syntax, see Microsoft website.
        • Test Connection: Test the connection between the AD server and the cloud.
          • If the connection succeeds, click Next for further steps.
          • If the connection fails, modify the configuration and test the connection again until the connection succeeds.
          • You can also skip Test Connection and directly click Next. The system will test the connection automatically and go to the next step if the connection succeeds.
    As shown in Figure 1.
    Figure 1. Configure AD server




  2. Synchronize mapping rules: Set the login attribute, and the user/organization mapping between AD and the cloud.
    Configure the following parameters:
    • Login Attribute (for AD Authentication): Set the login attribute. It determines the type of AD accounts that can be authorized to log in to the cloud.

      For example, if the attribute of cn is mapped as the login attribute, the synchronized AD user will log in to the cloud with the corresponding value of cn in AD (for example, Bob).

    • User Mapping: Set the user mapping between AD and the cloud.
      • User Name: Set the mapping of user name between AD and the cloud.

        For example, if the attribute of cn is mapped as the user name, the synchronized AD user will make its user name in the cloud as the corresponding value of cn in AD (for example, Bob).

        Note:
        • The user name in the cloud must be unique.
        • If the user name is identical with another one, the synchronized AD user will be given a random code to its user name.
      • Name: Set the mapping of name between AD and the cloud.

        For example, if the attribute of name is mapped as the name, the synchronized AD user will make its name in the cloud as the corresponding value of name in AD (for example, Tom).

      • Phone Number: Optional. Set the mapping of phone number between AD and the cloud.

        For example, if the attribute of telephoneNumber is mapped as the phone number, the synchronized AD user will make its phone number in the cloud as the corresponding value of telephoneNumber in AD (for example, 13800000000).

      • Mail: Optional. Set the mapping of mail between AD and the cloud.

        For example, if the attribute of mail is mapped as the email address, the synchronized AD user will make its email address in the cloud as the corresponding value of mail in AD (for example, xxx@xxx.com).

      • Identifier: Optional. Set the mapping of identifier between AD and the cloud.

        For example, if the attribute of employeeID is mapped as the identifier, the synchronized AD user will make its identifier in the cloud as the corresponding value of employeeID in AD (for example, 001).

      • Description: Optional. Set the mapping of description between AD and cloud.

        For example, if the attribute of description is mapped as the description, the synchronized AD user will make its description in the cloud as the corresponding value of description in AD (for example, senior developer).

      • Custom Attributes: Customize the user attributes. You can add up to 5 custom attributes at one time.
        Examples:
        • System User Attribute: Set the system user attribute. It can be duplicated with the added attributes above.

          For example, if the attribute of employeeID is mapped as the system user attribute, the synchronized AD user will make its system user attribute in the cloud as the corresponding value of employeeID in AD (for example, 001).

        • AD/LDAP User Attribute: Set the AD user attribute.

          For example, if the attribute of cn is mapped as the AD user name, the synchronized AD user will make its AD user attribute in the cloud as the corresponding value of cn in AD (for example, Bob).

    • Organization Mapping: Set the organization mapping between AD and the cloud. The AD organization under the base DN can be synchronized to the cloud by Group or by OU.
      • Synchronize Organization Mapping: Specify whether to synchronize the organization according to the organization mapping rule. This checkbox is deselected by default.
        • When deselected, the AD organization will not be synchronized to the cloud when AD server is added.
        • When selected, the AD organization under the base DN will be synchronized to the cloud.
      • Mapping Type: Select the organization mapping type.
        • Group: This parameter specifies the corresponding child domain according to the group type, and synchronizes the AD organization under the domain to the cloud. (Recommended)
        • OU: This parameter specifies the corresponding child domain according to the OU type, and synchronizes the AD organization under the domain to the cloud.
      • Name: Set the mapping of organization name between AD and the cloud.

        For example, if the attribute of cn is mapped as the organization name, the synchronized AD organization will make its organization name in the cloud as the corresponding value of cn in AD (for example, development department).

      • Description: Optional. Set the mapping of organization description between AD and the cloud.

        For example, if the attribute of description is mapped as the organization description, the synchronized AD organization will make its organization description in the cloud as the corresponding value of description in AD (for example, backend development department).

    • Next: Click Next. Then the system will test the configurations automatically and synchronize the mapping rule if the test succeeds.
      • If the test fails, modify the configurations and click Next to perform the test again until the test succeeds.
    As shown in Figure 2.
    Figure 2. Synchronize mapping rules




  3. Confirm and submit the configurations.

    Check the configured information about the AD server. Note that you can go back to the previous step by clicking the Edit icon to modify the configurations.

    As shown in Figure 3.
    Figure 3. Confirm and submit


  • After the AD server is added, the admin, platform admin, and platform members can view the synchronized users and organizations.
    As shown in Figure 4 and Figure 5.
    Figure 4. 3rd Party Users


    Figure 5. Organization


  • The admin, platform admin, and platform members can perform the following operations on the AD server:
    • Test Connection:
      Test the connection between the AD server and the cloud. If the connection fails, troubleshoot this issue according to the following possible reasons:
      • The AD server IP or port authentication failed. Check whether the AD server is available, and whether the IP or port is changed.
      • The user DN or password connection failed. Use the latest authenticated user DN and password within the base DN.
    • Modify Mapping Rule:
      Modify the synchronized user mapping rule and the organization mapping rule.
      Note: The modified mapping rule will take effect when the AD server is synchronized next time.
    • Synchronize:
      Synchronizing the AD server will obtain the latest user list and organizations.
      Note: After synchronization, the non-existent users will be in the deleted state and can no longer log in to the Cloud.
    • Delete:
      Delete the AD server.
      Note: If you delete an AD server, the users and organizations synchronized to the Cloud will also be deleted. However, the users and organizations in the source AD server are not affected.
    • Modify Configuration: Modify the configurations, including the base DN, user DN, password, and filter rule.
      • If the configurations are modified, the AD server will be updated according the latest configurations. Please exercise caution.
      • The modified configurations will take effect when the AD server is synchronized next time.
      • You can click Synchronize or enable Auto Synchronize to trigger the AD server synchronization.
      • After synchronization, users that do not exist will be in the deleted state and cannot log in to the cloud any more.
      As shown in Figure 6.
      Figure 6. Modify Configuration


    • Auto Synchronize: Automatically synchronize the latest user list and organizations according to the specified synchronized cycle.
      • If enabled, the latest user list and organizations will be synchronized according to the specified synchronized cycle.
      • After synchronization, users that do not exist will be in the deleted state and cannot log in to the cloud any more.
      As shown in Figure 7.
      Figure 7. Auto Synchronize


    • Convert to Local User: Convert the users in the deleted state to the local users.
      • The converted local users inherit their original data. For example, they inherit their original permissions in certain projects.
      • The converted local users can log in to the cloud again after their passwords are changed.
Download

Already filled the basic info? Click here.

Enter at least 2 characters.
Invalid mobile number.
Enter at least 4 characters.
Invalid email address.
Wrong code. Try again. Send Code Resend Code (60s)

The download link will be sent to your email. Make sure the address you provided is valid and correct.

Download

Not filled the basic info yet? Click here.

Invalid email address or mobile number.

Email Us

contact@zstack.io

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder. After receiving the email, click the URL to download the documentation.

The download link is sent to your email address.

If you don't see it, check your spam folder, subscription folder, or AD folder.
Or click on the URL below. (For Internet Explorer, right-click the URL and save it.)

Thank you for using ZStack products and services.

Back to Top