I. Overview
1. Version
| Server Version | JAR Package | Multi-domain LDAP authentication plugin version |
|---|---|---|
| 5.1.9 | 2021-01-06 | V1.0 |
2. Application scenarios
User information is stored in multiple LDAP authentication servers, and administrators can use plugins in the decision-making paltform to implement multi-domain LDAP authentication.
3. Function introduction
By installing the "Multi-Domain LDAP Authentication" plugin, you can connect to multiple AD domains at the same time for LDAP login authentication.
Note 1: Super administrator are not affected by LDAP authentication and still use the platform's built-in authentication.
Note 2: If there are users with the same username in different domains, they can log in to the decision-making platform using their respective passwords, but they need to share the same platform account.
Note 3: If "Multi-domain LDAP authentication" is configured and the plugin is disabled, it will automatically switch to "built-in authentication". After re-enabling the plugin, the "Multi-Domain LDAP Authentication" configuration remains.
II. Example
1. Plugin installation
Click to download the plugin:
Multi-domain LDAP Authentication.zip
Designer plugin installation method reference: Designer plugin management
Server installation plugin method refer to: Server plugin management
2. Configuring Multi-Domain LDAP Authentication
1) The administrator logs in to the decision-making platform, clicks Manage > User > Global Settings, and Multi-domain LDAP Authentication method is added. As shown below:
2) Select Multi-domain LDAP Authentication as the authentication method.
Click the Add button, enter various parameters, and click the Test connection and save button to add an AD domain URL.
After all the additions are completed, click the Save button to exit the decision-making platform and log in again. As shown below:
The description of each parameter item in LDAP setting is shown in the following table:
| Parameter item | Description |
|---|---|
| URL | The URL is the entry for logging into the LDAP server. The URL consists of a domain name or IP and a port number. Generally, the default port number is 389. The URL format is: LDAP://domain name or IP+port number |
| Retrieve Location | LDAP is a server that stores data in a tree structure. Enter the server through a URL, and retrieve the relevant login information after passing the user and password authentication. The "retrieval location" is the location where the login information is stored.
|
| AUTH Method | Specify the authentication type used by the LDAP directory server, according to the configuration of the LDAP server, select "simple" for the general authentication method
|
| Context | The class name of the initial context factory Normally choose "com.sun.jndi.ldap.LdapCtxFactory" - for LDAP server based directory service |
| Referral | According to the configuration selection of the LDAP server, generally select "ignore". |
| Username Suffix | Username suffix can be added or not added, if added, the corresponding domain name will be added automatically when logging in. For example, there is a user named Alice@fanruan.com in the LDAP server, and the username suffix is set to @fanruan.com. Then the user name in the decision-making platform is Alice, and the user name when logging in to the decision-making platform is also Alice |
| Administrator name/password | The administrator name here does not refer to the administrator name of the LDAP server, but refers to the user who has the right to retrieve the LDAP server. Authentication is achieved by the user entering the LDAP server and retrieving login information from the retrieval location. Usually, the method of "domain name/username" is used for identification. Either "uid" or "cn" can be used, but generally do not use the writing method of DN domain name
|
3. Adding platform users
The LDAP server generally stores the user's employee list. If you want a user to log in using LDAP authentication on the platform, the platform also needs to add a user with the same name, because the platform operations such as binding mailboxes and assigning permissions are all based on platform users. object. When the corresponding user in the platform exists, it can be considered that enabling "multi-domain LDAP authentication" only changes the password authentication of the platform user from the default platform built-in authentication to the LDAP server authentication.
Click Manage> User > Add User, add user "test001", as shown in the following figure:
Note 1: When configuring "Add User" for multi-domain LDAP authentication, you do not need to configure a password.
Note 2: Synchronized users and imported/added users can choose different authentication methods respectively.
4. Effect View
The user enters the username stored in the LDAP server and the password in the LDAP server. If the LDAP authentication of a certain domain is successful and the corresponding user exists in the platform users, the platform judges that the authentication is successful and can enter the decision-making platform. According to the user permissions in the platform perform corresponding operations. As shown below:
The synchronized user of the platform is valid for the configured synchronized LDAP multiple domains. If a user exists in the synchronized user of the platform, it will traverse these domains one by one when logging in until the authentication is successful, and continue to traverse until the end of the error, login failed.
Manually added/imported users do the same for the configured built-in LDAP multi-domain, but take effect separately from the sync LDAP multi-domain respective configuration.
Note 1: If there are users with the same username in different domains, they can log in to the decision-making platform using their respective passwords, but they need to share the same platform account.
Note 2: If the entered username does not exist in the platform, or the corresponding user in the platform is disabled, or the platform user restriction is enabled and the user is not included, it will not communicate with the LDAP server, and directly prompt "username or password" error" or "user unavailable".
Note 3: If the LDAP authentication of a domain fails, users in this domain cannot log in to thedecision-making platform, and users in other domains are not affected.
Note 4: The username stored in the LDAP server cannot use double-byte Japanese, Traditional Chinese or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.
The password stored in the LDAP server cannot use double-byte Japanese, Traditional Chinese, Simplified Chinese, or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.
