You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. Each user in a group is assigned the same role (for example, Infrastructure administrator). An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol).
After the directory service is configured, any user in the group can log in to the appliance. On the login window, a user:
In the Session control, () the user is identified by their name preceded by the authentication directory service. For example:
CorpDir\pat
Authenticating users
When you add an authentication directory service to the appliance, you provide location criteria so that the appliance can find the group.
Adding a directory server
If you replicate the authentication directory service for high availability or disaster tolerance, add the replicated directory service as a separate directory service.
After you add an authentication directory service and server
Considerations for configuring a Microsoft Active Directory directory service
-
The following maps the Active Directory attribute to the LDAP property:
LDAP property Active Directory attribute cn
Common-Name
uid
UID
userPrincipalName
User-Principal-Name
sAMAccountName
SAM-Account-Name
If the
user name
does not contain either an@
character (to denote a UPN) or a\
character (to denote adomain
\
login
), then these logins are attempted in this order: -
If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows.
Specify the following components of the user’s name, displayed here with the corresponding attribute:
The field labeled
Full Name
defaults to this format and this string is assigned to thecn
attribute (Common Name).givenName.initials.
givenName
.initial
.sn
In the New Object – user dialog box, you are also required to specify a User logon name. This, in combination with the DNS domain name, becomes the
userPrincipalName
.The
userPrincipalName
is an alternative name that the user can use for logging in. It is in the form:LogonName
@DNSDomain
JoeUser@exampledomain.example.com
-
Finally, as you enter the User logon name, the first twenty characters are automatically filled in in the pre-Windows 2000 logon name field, which becomes the
sAMAccountName
attribute. -
CN-logins for built-in Active Directory user accounts, like
Administrator
, are not accepted. Other login formats are acceptable if their respective attributes (sAMAccountName, userPrincipalName, and UID) are set properly.