ECS 3.5.0.1 Administration Guide

Example:
  mycompany.com

If an alternate UPN suffix is configured in the Active Directory, the Domains field should also contain the alternate UPN configured for the domain. For example, if
  myco is added as an alternate UPN suffix for
  mycompany.com, then the Domains field should contain both
  myco and
  mycompany.com.

The LDAP or LDAPS (secure LDAP) with the domain controller IP address. The default port for LDAP is 389. The default port for LDAPS is 636.

You can specify one or more LDAP or LDAPS authentication provider.

Example:
  ldap://<Domain controller FQDN>:<port> (if not default port) or
  ldaps://<Domain controller FQDN>:<port>(if not default port)

If the authentication provider supports a multidomain forest, use the global catalog server IP and always specify the port number. The default port for LDAP is 3268. The default port for LDAPS is 3269.

Example:
  ldap(s)://<Global catalog server FQDN>:<port>

The Active Directory Bind user account that ECS uses to connect to the Active Directory or LDAP server. This account is used to search Active Directory when an ECS administrator specifies a user for role assignment.

This user account must have
  Read all inetOrgPerson information in Active Directory. The
  InetOrgPerson object class is used in several non-Microsoft, LDAP and X.500 directory services to represent people in an organization.

To set this privilege in Active Directory:

1. Open Active Directory Users and Computers.
2. Right-click the domain, select Delegate Control, and then click Next.
3. In the Delegation of Control wizard, click Next, and then click Add.
4. In the Select Users, Computers, or Groups dialog box, select the user that you are using for managerdn, and then click Next.
5. In the Tasks to Delegate page, in Delegate the following common tasks, check the Read all inetOrgPerson information task, and then click Next.
6. Click Finish.

In this example:
  CN=Manager,CN=Users,DC=mydomaincontroller,DC=com, the Active Directory Bind user is
  Manager, in the
  Users tree of the
  mydomaincontroller.com domain. Usually
  managerdn is a user who has fewer privileges than Administrator, but has sufficient privileges to query Active Directory for users attributes and group information.

Important: You must update this user account in ECS if the
  managerdn credentials change in Active Directory.

The password of the
  managerdn user.

Important: You must update this password in ECS if the
  managerdn credentials change in Active Directory.

Select Disabled only if you want to add the authentication provider to ECS, but you do not immediately want to use it for authentication. ECS does not validate the connectivity of a disabled authentication provider, but it does validate that the authentication provider name and domain are unique.

The AD attribute that is used to identify a group. Used for searching the directory by groups.

Example:
  CN

This setting applies only to Active Directory; it does not apply to other types of authentication providers.

Optional. One or more group names as defined by the authentication provider. This setting filters the group membership information that ECS retrieves about a user.

• When a group or groups are included in the whitelist, ECS is aware only of a user's membership in the specified groups. Multiple values (one value on each line in the ECS Portal, and values comma-separated in CLI and API) and wildcards (for example MyGroup*,TopAdminUsers*) are allowed.
• The default setting is blank. ECS is aware of all groups that a user belongs to. Asterisk (*) is the same as blank.

Example:

UserA belongs to
  Group1 and
  Group2.

If the whitelist is blank, ECS knows that UserA is a member of
  Group1 and
  Group2.

If the whitelist is
  Group1, ECS knows that UserA is a member of
  Group1, but does not know that UserA is a member of
  Group2 (or of any other group).

Use care when adding a whitelist value. For example, if you map a user to a namespace that is based on group membership, then ECS must be aware of the user's membership in the group.

To restrict access to a namespace to only users of certain groups, complete the following tasks.

• Add the groups to the namespace user mapping. The namespace is configured to accept only users of these groups.
• Add the groups to the whitelist. ECS is authorized to receive information about them.

By default, if no groups are added to the namespace user mapping, users from any groups are accepted, regardless of the whitelist configuration.

• One Level (search for users one level under the search base)
• Subtree (search the entire subtree under the search base)

The following example searches for all users in the
  Users container.

CN=Users,DC=mydomaincontroller,DC=com

The following example searches for all users in the
  Users container in the
  myGroup organization unit. Note that the structure of the search base value begins with the leaf level and goes up to the domain controller level, which is the reverse of the structure seen in the
  Active Directory Users and Computers snap-in.

CN=Users,OU=myGroup,DC=mydomaincontroller,DC=com

Example:
  userPrincipalName=%u
  

If an alternate UPN suffix is configured in the Active Directory, the Search Filter value must be of the format
  sAMAccountName=%U where
  %U is the username, and does not contain the domain name.