Skip to main content

Managing AD Accounts

AD access to User Portal is granted by configuring LDAP providers against User Portal. This section gives an example how to add, modify, and disable LDAP providers. Note that the actual setup depends on your AD configuration.

You can enable AD access to User Portal by adding LDAP providers to the User Portal. The high-level workflow for accomplishing this is the following:

  1. If you are adding an LDAP provider using TLS-protected connections, you will have to set the CA certificate of the AD server as a trusted certificate on the User Portal machine.
  2. Adding the LDAP provider configuration to User Portal.

You can make the CA certificate of the AD server trusted as follows:

  1. Gain root terminal access to the User Portal machine.
  2. Set the CA certificate of the AD server as a trusted certificates on the User Portal machine. : /etc/adauth-ca.crt

When using multiple AD servers, the /etc/adauth-ca.crt file must contain the CA certificates of all the AD servers.

note

If your AD server provides its intermediate-CA certificates during connections, then it is sufficient to just add the trusted root-CA certificate to /etc/adauth-ca.crt. Otherwise, you must add the CA certificate of the AD server, and the entire CA-certificate chain up to a trusted root CA.

Your AD must provide the following attribute statements for matching User Portal accounts:

  • Statement matching User Portal users' username
  • Statement matching User Portal users' email
  • Statement matching User Portal users' UPN

You can add AD configurations to User Portal on the LDAP providers page in the Management Portal:

To add an LDAP provider to User Portal you must provide the AD connection and search parameters.

  1. In the Management Portal, on the LDAP providers page, click Add LDAP provider.

  2. Provide the following information related to your AD connection and search parameters:

    note

    The search parameters must correspond to an AD search that returns the users who are to be given access to User Portal.

  • Name: A free-text name for identifying this LDAP provider. The name is displayed on the User Portal log-in page as a possible Authentication provider.

  • URL: The address of the AD service. For example, ldap://ad.example.com:389

  • Base: The base distinguished name for all objects, used as the root of the search. For example, DC=ad,DC=example,DC=com

  • Schema: The layout type used by the LDAP service. Can be Active Directory or POSIX.

  • Scope: The scope of the search. Can be one of the following:

    • Subtree: Return the base element and all child elements.
    • Base: Return the base element, and nothing else.
    • One: Return the direct children of the base object.

  • Bind Distinguished Name (Optional): The distinguished name used for binding to the AD server. For example, CN=alice,cn=Users,dc=example,dc=com or alice@example.com. If left unspecified, bind is performed using the user name of the application owner as they log in.

    note

    The bind user should not have administrator privileges, read privileges are enough.

  • Bind Password (Optional): The password used for binding to the AD server. If left unspecified, bind is performed using the password of the application owner as they log in.

  • Filter (Optional): LDAP filter string to restrict which directory accounts are accepted. For example (objectClass=user)(memberOf=examplegroup). If the filter is unspecified, the filter defaults to (objectClass=posixAccount) with a POSIX schema, and to (objectCategory=person)(objectClass=user) with an Active Directory schema.

  • Use start TLS: Set to On to use TLS on non-LDAPS URLs.

  1. After you have filled in the required information, click Save to add the LDAP provider. The new LDAP provider should now be listed in the LDAP providers section of the page.

    images/User%20Portal%20Manual_Page_36_Image_0001.jpg

  2. Optional: Verify that User Portal is able to connect to the LDAP provider.

    Click images/menu.png, and next to the LDAP provider entry, and select Test to test its connection. The results of the connection test are displayed at the top right corner of the page.

To review or modify the details of an existing LDAP provider:

  1. On the LDAP providers page, click on the LDAP provider entry you want to review.
  2. In the LDAP Provider details panel you can review and modify the settings of the LDAP provider. Click Save to save your changes. Alternatively, click Cancel to exit the User details panel without saving.

You can disable LDAP providers, preventing User Portal access from LDAP accounts belonging to disabled LDAP provider. Disabled LDAP providers can later be re-enabled to once again allow access:

  • On the LDAP providers page, click images/menu.png next to the LDAP provider you want to disable/enable, and select Disable or Enable.

    You should then verify that the Enabled status of the LDAP provider is updated in the LDAP Providers list.

You can also remove an LDAP provider from the User Portal system, preventing User Portal access from LDAP accounts belonging to that LDAP provider:

  • On the LDAP providers page, click images/menu.png next to the LDAP provider you want to, and select Remove.

    You should then verify that the LDAP provider is removed from the LDAP Providers list.

note

If your AD users take multiple minutes to login to User Portal, you should verify that AD settings are correct in User Portal and Key Manager. For more information about setting up Active Directories for Key Manager, see the PrivX Key Manager Installation Manual.