反馈已提交
网络繁忙
User information is stored in multiple LDAP authentication servers, and administrators can use plugins in the decision-making paltform to implement multi-domain LDAP authentication.
By installing the "Multi-Domain LDAP Authentication" plugin, you can connect to multiple AD domains at the same time for LDAP login authentication.
Note 1: Super administrator are not affected by LDAP authentication and still use the platform's built-in authentication.
Note 2: If there are users with the same username in different domains, they can log in to the decision-making platform using their respective passwords, but they need to share the same platform account.
Note 3: If "Multi-domain LDAP authentication" is configured and the plugin is disabled, it will automatically switch to "built-in authentication". After re-enabling the plugin, the "Multi-Domain LDAP Authentication" configuration remains.
Click to download the plugin:
Multi-domain LDAP Authentication.zip
Designer plugin installation method reference: Designer plugin management
Server installation plugin method refer to: Server plugin management
1) The administrator logs in to the decision-making platform, clicks Manage > User > Global Settings, and Multi-domain LDAP Authentication method is added. As shown below:
2) Select Multi-domain LDAP Authentication as the authentication method.
Click the Add button, enter various parameters, and click the Test connection and save button to add an AD domain URL.
After all the additions are completed, click the Save button to exit the decision-making platform and log in again. As shown below:
The description of each parameter item in LDAP setting is shown in the following table:
LDAP is a server that stores data in a tree structure. Enter the server through a URL, and retrieve the relevant login information after passing the user and password authentication. The "retrieval location" is the location where the login information is stored.
Check "Do not retrieve location as BaseDN": only writing to the root directory will automatically retrieve the subdirectories below it, which is inefficient.
Uncheck "Do not retrieve location as BaseDN": write from the root directory to the subdirectory, no need to search, and the speed is faster.
Specify the authentication type used by the LDAP directory server, according to the configuration of the LDAP server, select "simple" for the general authentication method
When the authentication method is "none", it is anonymous authentication, that is, the platform user can log in normally by entering any password.
When the authentication method is "simple", use the plain text password stored in the LDAP server for authentication.
Normally choose "com.sun.jndi.ldap.LdapCtxFactory" - for LDAP server based directory service
Username suffix can be added or not added, if added, the corresponding domain name will be added automatically when logging in.
For example, there is a user named Alice@fanruan.com in the LDAP server, and the username suffix is set to @fanruan.com.
Then the user name in the decision-making platform is Alice, and the user name when logging in to the decision-making platform is also Alice
The administrator name here does not refer to the administrator name of the LDAP server, but refers to the user who has the right to retrieve the LDAP server. Authentication is achieved by the user entering the LDAP server and retrieving login information from the retrieval location.
Usually, the method of "domain name/username" is used for identification. Either "uid" or "cn" can be used, but generally do not use the writing method of DN domain name
If the "Administrator name" is not an LDAP server administrator, but an ordinary user who has been granted retrieve authority in the LDAP server, it must be set to the form of "username + domain name", for example, the user is "ldap", "retrieve location" ” is "DC=test,DC=com", then the administrator name is "ldap@test.com".
If the "administrator name" is filled in the LDAP server administrator, just fill in the name directly, such as "administrator" in the above example
The LDAP server generally stores the user's employee list. If you want a user to log in using LDAP authentication on the platform, the platform also needs to add a user with the same name, because the platform operations such as binding mailboxes and assigning permissions are all based on platform users. object. When the corresponding user in the platform exists, it can be considered that enabling "multi-domain LDAP authentication" only changes the password authentication of the platform user from the default platform built-in authentication to the LDAP server authentication.
Click Manage> User > Add User, add user "test001", as shown in the following figure:
Note 1: When configuring "Add User" for multi-domain LDAP authentication, you do not need to configure a password.
Note 2: Synchronized users and imported/added users can choose different authentication methods respectively.
The user enters the username stored in the LDAP server and the password in the LDAP server. If the LDAP authentication of a certain domain is successful and the corresponding user exists in the platform users, the platform judges that the authentication is successful and can enter the decision-making platform. According to the user permissions in the platform perform corresponding operations. As shown below:
The synchronized user of the platform is valid for the configured synchronized LDAP multiple domains. If a user exists in the synchronized user of the platform, it will traverse these domains one by one when logging in until the authentication is successful, and continue to traverse until the end of the error, login failed.
Manually added/imported users do the same for the configured built-in LDAP multi-domain, but take effect separately from the sync LDAP multi-domain respective configuration.
Note 1: If there are users with the same username in different domains, they can log in to the decision-making platform using their respective passwords, but they need to share the same platform account.
Note 2: If the entered username does not exist in the platform, or the corresponding user in the platform is disabled, or the platform user restriction is enabled and the user is not included, it will not communicate with the LDAP server, and directly prompt "username or password" error" or "user unavailable".
Note 3: If the LDAP authentication of a domain fails, users in this domain cannot log in to thedecision-making platform, and users in other domains are not affected.
Note 4: The username stored in the LDAP server cannot use double-byte Japanese, Traditional Chinese or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.
The password stored in the LDAP server cannot use double-byte Japanese, Traditional Chinese, Simplified Chinese, or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.
feedback
鼠标选中内容,快速反馈问题
鼠标选中存在疑惑的内容,即可快速反馈问题,我们将会跟进处理。
不再提示
10s后关闭