About directory service authentication

You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. Each user in a group is assigned the same role (for example, Infrastructure administrator). An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol).

After the directory service is configured, any user in the group can log in to the appliance. On the login window, a user:

Enters their user name (typically, the Common-Name attribute, CN).

The format for the user name depends on the Directory type.
Enters their password.
Selects the authentication directory service.

In the Session control, () the user is identified by their name preceded by the authentication directory service. For example:

CorpDir\pat

IMPORTANT:

Unlike local users, if a user is deleted from an authentication directory, their active sessions remain active until that user logs out.

If there is a change in the group-to-role assignment (including a deletion) for an authentication directory group while a user from that group is logged in, their current active session is not affected until they log out. Local users’ sessions are ended when such modifications are made.

Authenticating users

When you add an authentication directory service to the appliance, you provide location criteria so that the appliance can find the group.

Adding a directory server

If you replicate the authentication directory service for high availability or disaster tolerance, add the replicated directory service as a separate directory service.

After you add an authentication directory service and server

You can:

Allow local logins only, which is the default.
Allow both local logins and logins for user accounts authenticated by the directory service.

Considerations for configuring a Microsoft Active Directory directory service

The following maps the Active Directory attribute to the LDAP property:

LDAP property Active Directory attribute

cn

Common-Name

uid

UID

userPrincipalName

User-Principal-Name

sAMAccountName

SAM-Account-Name

If the user name does not contain either an @ character (to denote a UPN) or a \ character (to denote a domain\login), then these logins are attempted in this order:
1. The user name is treated as the sAMAccountName and directory-name gets prepended (directory-name\user-name)
2. The user name is treated as a UID.
3. The user name is treated as a CN.
If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows.

Specify the following components of the user’s name, displayed here with the corresponding attribute:

User name component Attribute

First Name

givenName

Intials

initial

Last Name

sn

The field labeled Full Name defaults to this format and this string is assigned to the cn attribute (Common Name).
```
givenName.initials.

givenName.

initial.

sn
```
In the New Object – user dialog box, you are also required to specify a User logon name. This, in combination with the DNS domain name, becomes the userPrincipalName.

The userPrincipalName is an alternative name that the user can use for logging in. It is in the form:
```
LogonName@

DNSDomain
```
For example:
```
JoeUser@exampledomain.example.com
```
Finally, as you enter the User logon name, the first twenty characters are automatically filled in in the pre-Windows 2000 logon name field, which becomes the sAMAccountName attribute.
CN-logins for built-in Active Directory user accounts, like Administrator, are not accepted. Other login formats are acceptable if their respective attributes (sAMAccountName, userPrincipalName, and UID) are set properly.

prev	up	next
Shut down the appliance from the UI	home	Disable local logins

LDAP property	Active Directory attribute
`cn`	Common-Name
`uid`	UID
`userPrincipalName`	User-Principal-Name
`sAMAccountName`	SAM-Account-Name

User name component	Attribute
First Name	givenName
Intials	initial
Last Name	sn