Configure LDAP authentication

Perform this task to manage LDAP servers and synchronization settings. An authentication server manages and verifies user accounts. Synchronization settings are used for synchronizing OU configuration from authentication servers after authentication servers are configured.

Configure authentication servers

About this task

An authentication server manages and validates user accounts. The system supports the following types of authentication servers:

Lightweight Directory Access Protocol (LDAP) server—LDAP is an open protocol for accessing directory information services. The LDAP directories are organized in a tree structure. The root of the tree typically defines a country (c=CN) or domain name (dc=com), and organizations or organization units (OUs) are under the root. An OU might include user, computer, and printer information. As a unified authentication solution, LDAP can rapidly provide user search results. It is applicable to scenarios with high concurrency of authentication requests.
Microsoft Active Directory (AD)—AD is an application entity of LDAP, including the LDAP server and LDAP application (Windows domain server). The Windows domain server, which stores Active Directory, is a database containing user accounts, passwords, and computers in domains. A user can use a username and password to access all the resources that are allowed in a domain. Once the user changes the password, the entire domain can synchronize the new password.

Application scenarios

Authentication servers are applicable to scenarios with high network security and unified user management.

Configuration workflow

Create an authentication server—Associate the actual deployed authentication servers with Space Console.
Synchronize OU configurations immediately—Synchronize user information from the authentication server.

Prerequisites

Deploy Microsoft AD or generic LDAP servers on the network and configure users on the servers.

Restrictions and guidelines

For domain users that use cloud desktops in a desktop pool to be added to a domain, assign the desktop pool to domain users and specify an OU for the pool. Local LDAP users are not required to join a domain.

Create an authentication server

The system supports multiple Microsoft AD servers and generic LDAP servers.
If an authentication server is specified by its domain name, the cloud disk feature cannot synchronize domain configuration with the authentication server.

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Click Create Authentication Server.
Configure the authentication server parameters as described in "Parameters."
Click Connectivity Test to verify that the server is reachable.
Click Save.

Parameters

Server Address: Specify the IP address or domain name of an authentication server. Make sure Space Console can reach the authentication server. If the Microsoft AD server is deployed in primary/secondary mode or load balancing mode, you must specify the domain name of the Microsoft AD server. A violation might cause primary/secondary server switchover or load balancing fails.
Server Type: Specify the type of the authentication server. Options include Generic LDAP Server and Microsoft Active Directory.
NETBIOS: Configure the NetBIOS information of the authentication server. This parameter is available only for the Microsoft AD server. If the Microsoft AD server runs operating system earlier than Windows 2000, you must configure this parameter so that cloud desktops can correctly join domains.
Server Version: Specify the version of the authentication server. Options include 2 and 3. The default is 3.
Security Control: Configure security control for the authentication server. Options include:
- Allow Server Data Update: Allow administrators to manage domain users or user groups on Space Console. If you do not select this parameter, administrators do not have the privileges to manage (such as create, edit, and delete) domain users, domain user groups, LDAP users, or LDAP user groups.
- Enable Secure Connection: Use SSL to secure connections to the domain server. Before you enable secure connection, make sure the authentication server supports TLS 1.2.
Auth Password Encryption Algorithm: Select an encryption algorithm for the user authentication password when creating or editing LDAP users on Space Console. You can select only MD5 or SHA. This parameter is available if a generic LDAP server is selected as an authentication server.
Port Number: Specify the port number of the authentication server. The default is 389 if security control is disabled and 636 if security control is enabled.
Base DN: Specify the base DN used for communication with the authentication server. Specify the IP address of the authentication server, click the icon for base DN selection, and then select a base DN.
Admin DN: Specify the administrator DN used for communication with the authentication server.
Current Admin Password: Specify the administrator password used for communication with the authentication server.
Login Name Attribute Name: Configure the login name attribute.
- If you select Generic LDAP Server for the Server Type parameter, the default login name attribute is cn.
- If you select Microsoft Active Directory for the Server Type parameter, the default login name attribute is sAMAccountName.
User Name Attribute Name: Configure the user name attribute for obtaining the user information from the LDAP server.
E-mail Attribute Name: Configure the e-mail attribute for obtaining the user information from the LDAP server. This parameter is available if a generic LDAP server is selected as an authentication server.
Telephone Attribute Name: Configure the telephone attribute for obtaining the user information from the LDAP server.
Password Attribute Name: Configure the password attribute for obtaining the user information from the LDAP server. This parameter is available if a generic LDAP server is selected as an authentication server.
Department Attribute Name: Configure the department attribute for obtaining the user information from the LDAP server. This parameter is available if a generic LDAP server is selected as an authentication server.
Sync User Group: Configure whether to allow user groups on the LDAP server and local LDAP user groups on Space Console to synchronize with each other. This parameter is available only for the generic LDAP server.
- If you select Enabled, the system will synchronize users and user groups from the LDAP server to Space Console. Additionally, changes to the users and user groups on Space Console will also be synchronized to the LDAP server.
- If you select Disabled, the system will synchronize only users from the LDAP server to Space Console. It will not synchronize user groups from the LDAP server to Space Console or changes to users or user groups on Space Console to the LDAP server.
Unique Identifier Attribute Name: Customize the unique identifier attribute for users on the LDAP server.
User Filtering Rules: Specify filtering rules for Space Console to obtain users from the LDAP server. After you configure these rules, only the users matching the filtering rules can be obtained.
User Group Filtering Rules: Specify filtering rules for Space Console to obtain user groups from the LDAP server. After you configure these rules, only the user groups matching the filtering rules can be obtained.
Connection Timeout: Set the timeout period for the connections set up between the authentication server and Space Console and clients. The default value if 30 seconds. If you test connectivity to the authentication server or save the authentication server configuration, Space Console will attempt to connect to the authentication server. Space Console returns a connection failure message if it still fails to connect to the authentication server upon expiration of this timeout period. After login, a client attempts to connect to the authentication server and returns a connection failure message if no connection attempt succeeds upon expiration of this timeout period.
Trust Domain Configuration: Select whether to enable trust domain configuration. By default, this parameter is disabled. If you enable Trust Domain Configuration, configure the following parameters:
- Trust Way: Select a trust way. Options include Mutual Trust and One-Way Trust. Select the trust way based on the trust relationship of the actual domain control. For example, the trust relationship between a tree domain and a sub-domain is a mutual trust relationship.
- Trust Domain IP: Specify the IP address or domain name of the domain control server that provides authentication services. Make sure that Space Console is reachable to the specified IP address or domain name.
- Trust Domain Base DN: Specify the base DN used for communication with the authentication server. To configure the system to automatically populate this field, click Click to Obtain Base DN after you specify the IP address of the authentication server.
- Trust Domain Server Version: Specify the version of the authentication server. Options include 2 and 3. The default is 3.
- Trust Domain Port: Specify the port number of the authentication server. The default is 389 if security control is disabled and 636 if security control is enabled.
- Trust Domain Admin DN: Specify the administrator DN used for communication with the authentication server.
- Trust Domain Admin Password: Specify the administrator password used for communication with the authentication server.
After you enable trust domain configuration for an authentication server, and configure Mutual Trust or One-Way Trust for the authentication server, desktops can be assigned to the trust domain.

Edit an authentication server

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Click Edit from the Actions column of an authentication server, and edit parameters as described in "Parameters."
Click Connectivity Test to verify that the server is reachable.
Click Save.

Delete an authentication server

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Click Delete from the Actions column of an authentication server to be deleted.
In the dialog box that opens, click OK.

Synchronize all OUs immediately

Perform this task to synchronize OUs on all servers in the list. If a user with the same login name exists on a generic LDAP authentication server, you must modify the login name before synchronizing all OUs.

To immediately synchronize OUs:

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Click Sync OUs Now.

Synchronize OUs on schedule

Perform this task to set the time for periodically synchronizing all OUs on authentication servers.

To synchronize OUs on schedule:

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Click Scheduled OU Sync.
In the dialog box that opens, set the execution time, and click OK.

Synchronize OU configurations

Perform this task to synchronize OU configuration information from authentication servers after authentication servers are configured. An OU is a container that you use to organize objects, such as user accounts, groups, computers, printers, applications, files, and other OUs.

On Microsoft AD servers, OUs are used to organize domain users, domain user groups, and LDAP authentication administrators.
On generic LDAP servers, OUs are used to organize LDAP users, LDAP user groups, and LDAP authentication administrators.

Restrictions and guidelines

After you synchronize OU configurations from authentication servers to Space Console, user accounts on the authentication servers are synchronized. To use the user accounts to log in to teacher or student clients or campus space in education scenario, you must first change the type of the users to Teaching Staff or Student. For more information about how to change the user type, see the guide for AD users, AD user groups, LDAP users, or LDAP user groups.

Create an OU configuration

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Select an authentication server to add synchronization settings, and click Create.
Configure the name of the OU configuration, and select a subdomain base DN.
Select Synchronize to LDAP Server.
Click OK.

Synchronize OU configurations immediately

About this task

Perform this task to synchronize OU configuration information (such as user accounts in OUs) from the selected authentication servers immediately. After synchronization finishes, you need to refresh the page. If a user with the same login name exists on a generic LDAP authentication server, you must modify the login name before synchronizing all OU configurations.

Procedure

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Select an authentication server to synchronize OU configurations, and click Sync Now.
Synchronize OU configurations by using one of the following methods:
- To bulk synchronize all OU configurations, click Sync Now above the OU configuration list.
- To synchronize an OU configuration, click Sync Now from the Actions column of the OU configuration.

Edit an OU configuration

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Click Edit from the Actions column of an OU configuration in the OU configuration list.
In the dialog box that opens, edit the name and subdomain base DN.
Click OK.

Delete an OU configuration

From the left navigation pane, select System > Auth Collaboration > Primary Auth > LDAP Auth.
Click Delete in the Actions column of an OU configuration in the OU configuration list. Deleting an OU configuration will delete all users and user groups in the OU.
In the dialog box that opens, click OK.