Name
|
The name of the authentication provider. You can have multiple providers for different domains.
|
Description
|
Free text description of the authentication provider.
|
Type
|
The type of authentication provider. Active Directory or LDAP.
|
Domains
|
The collection of administratively defined objects that share a common directory database, security policies, and trust relationships. A domain can span multiple physical locations or sites and can contain millions of objects.
Example: mycompany.com
If an alternate UPN suffix is configured in the Active Directory, the Domains field should also contain the alternate UPN configured for the domain. For example, if myco is added as an alternate UPN suffix for mycompany.com, then the Domains field should contain both myco and mycompany.com.
|
Server URLs
|
The LDAP or LDAPS (secure LDAP) with the domain controller IP address. The default port for LDAP is 389. The default port for LDAPS is 636.
You can specify one or more LDAP or LDAPS authentication provider.
Example: ldap://<Domain controller FQDN>:<port> (if not default port) or ldaps://<Domain controller FQDN>:<port>(if not default port)
If the authentication provider supports a multidomain forest, use the global catalog server IP and always specify the port number. The default port for LDAP is 3268. The default port for LDAPS is 3269.
Example: ldap(s)://<Global catalog server FQDN>:<port>
|
Manager DN
|
The Active Directory Bind user account that ECS uses to connect to the Active Directory or LDAP server. This account is used to search Active Directory when an ECS administrator specifies a user for role assignment.
This user account must have Read all inetOrgPerson information in Active Directory. The InetOrgPerson object class is used in several non-Microsoft, LDAP and X.500 directory services to represent people in an organization.
To set this privilege in Active Directory:
- Open
Active Directory Users and Computers.
- Right-click the domain, select
Delegate Control, and then click
Next.
- In the
Delegation of Control wizard, click
Next, and then click
Add.
- In the
Select Users, Computers, or Groups
dialog box, select the user that you are using for
managerdn, and then click
Next.
- In the
Tasks to Delegate page, in
Delegate the following common tasks, check the
Read all inetOrgPerson information task, and then click
Next.
- Click
Finish.
In this example: CN=Manager,CN=Users,DC=mydomaincontroller,DC=com, the Active Directory Bind user is Manager, in the Users tree of the mydomaincontroller.com domain. Usually managerdn is a user who has fewer privileges than Administrator, but has sufficient privileges to query Active Directory for users attributes and group information.
Important: You must update this user account in ECS if the managerdn credentials change in Active Directory.
|
Manager Password
|
The password of the managerdn user.
Important: You must update this password in ECS if the managerdn credentials change in Active Directory.
|
Providers
|
This setting is Enabled by default when adding an authentication provider. ECS validates the connectivity of the enabled authentication provider and that the name and domain of the enabled authentication provider are unique.
Select Disabled only if you want to add the authentication provider to ECS, but you do not immediately want to use it for authentication. ECS does not validate the connectivity of a disabled authentication provider, but it does validate that the authentication provider name and domain are unique.
|
Group Attribute
|
This attribute applies only to Active Directory; it does not apply to other types of authentication providers.
The AD attribute that is used to identify a group. Used for searching the directory by groups.
Example: CN
NOTE After you set this attribute for an AD authentication provider, you cannot change it, because the tenants using this provider might already have role assignments and permissions configured with group names in a format that uses this attribute.
|
Group Whitelist
|
This setting applies only to Active Directory; it does not apply to other types of authentication providers.
Optional. One or more group names as defined by the authentication provider. This setting filters the group membership information that ECS retrieves about a user.
- When a group or groups are included in the whitelist, ECS is aware only of a user's membership in the specified groups. Multiple values (one value on each line in the ECS Portal, and values comma-separated in CLI and API) and wildcards (for example MyGroup*,TopAdminUsers*) are allowed.
- The default setting is blank. ECS is aware of all groups that a user belongs to. Asterisk (*) is the same as blank.
Example:
UserA belongs to Group1 and Group2.
If the whitelist is blank, ECS knows that UserA is a member of Group1 and Group2.
If the whitelist is Group1, ECS knows that UserA is a member of Group1, but does not know that UserA is a member of Group2 (or of any other group).
Use care when adding a whitelist value. For example, if you map a user to a namespace that is based on group membership, then ECS must be aware of the user's membership in the group.
To restrict access to a namespace to only users of certain groups, complete the following tasks.
- Add the groups to the namespace user mapping. The namespace is configured to accept only users of these groups.
- Add the groups to the whitelist. ECS is authorized to receive information about them.
By default, if no groups are added to the namespace user mapping, users from any groups are accepted, regardless of the whitelist configuration.
|
Search Scope
|
The levels to search. Possible values are:
- One Level (search for users one level under the search base)
- Subtree (search the entire subtree under the search base)
|
Search Base
|
The Base Distinguished Name that ECS uses to search for users or AD groups at login time and when assigning roles or setting ACLs.
The following example searches for all users in the Users container.
CN=Users,DC=mydomaincontroller,DC=com
The following example searches for all users in the Users container in the myGroup organization unit. Note that the structure of the search base value begins with the leaf level and goes up to the domain controller level, which is the reverse of the structure seen in the Active Directory Users and Computers snap-in.
CN=Users,OU=myGroup,DC=mydomaincontroller,DC=com
|
Search Filter
|
The string used to select subsets of users.
Example: userPrincipalName=%u
NOTE ECS does not validate this value when you add the authentication provider.
If an alternate UPN suffix is configured in the Active Directory, the Search Filter value must be of the format sAMAccountName=%U where %U is the username, and does not contain the domain name.
|