Hi,
LDAP Authentication Parameter DescriptionThis section describes the parameters required for configuring remote LDAP authentication. For actual parameter configurations, contact LDAP server maintenance personnel. Table 1 Basic Information parametersParameter | Description | Example |
|---|
Master server address type | Address type of the active LDAP server. The options are IPv4, IPv6, and Domain name. NOTE:If the address type of the LDAP active server is set to Domain name, you need to configure a DNS server in advance. | IPv4 | Master server address | Address of the active LDAP server. | 192.168.0.5 | Master server port | Port number of the active LDAP server. The value range is 1 to 65535. | 389 | Standby server address type | Address type of the standby LDAP server. The options are IPv4, IPv6, and Domain name. | IPv4 | Standby server address | Address of the standby LDAP server. A maximum of four standby servers can be configured for LDAP authentication. | 192.168.0.10 | Standby server port | Port number of the standby LDAP server. The value range is 1 to 65535. | 389 | Enable TLS | Whether to enable TLS for communication between the system server and LDAP server. By default, TLS is enabled. | - | TLS version | TLS protocol version for secure communication. Currently, only TLS v1.2 is supported. | TLS v1.2 | Table 2 User authentication mode parametersParameter | Description | Example |
|---|
User authentication mode | Mode in which the LDAP server authenticates users. The options are Fixed user, Login user DN, and Email address. | Fixed user | Fixed user
| Administrator DN | Distinguished name (DN) of an entry that stores administrator information in the LDAP directory. | CN=UserName, CN=Users, DC=test, DC=com | Administrator password | Password corresponding to the administrator DN. | - | Query syntax | You can set filter criteria to specify the user range. After the query criteria are set, only remote users who meet the query criteria can log in to the service plane. NOTE:You are advised to set filter criteria for querying users. The maximum number of remote users meeting the query criteria cannot exceed 1000. You are advised not to use sensitive data as filter criteria because the LDAP server protects sensitive data and does not allow the data to be queried by external systems.
| (&(objectClass=user)(memberof= CN=example, dc=com)) | Login user DN
| User DN prefix | Characters in front of the username in the DN of a logged-in user. NOTE:Take CN=%s, DC=test, DC=com as an example. %s indicates the user. Its DN prefix is CN=. | CN= | User DN suffix | Characters following the username in the DN of a logged-in user. NOTE:Take CN=%s, DC=test, DC=com as an example. %s indicates the user. Its DN suffix is , DC=test, DC=com. | , DC=test, DC=com | Query syntax | You can set filter criteria to specify the user range. After the filter criteria are set, only remote users who meet the filter criteria can log in to the service plane. NOTE:You are advised to set filter criteria for querying users. The maximum number of remote users meeting the query criteria cannot exceed 1000. You are advised not to use sensitive data as filter criteria because the LDAP server protects sensitive data and does not allow the data to be queried by external systems.
| (&(objectClass=user)(memberof= CN=example, dc=com)) | Email address
| Domain name | Email address of a user on a Windows AD server. The domain user can serve as the username for login. For example, if Domain name is set to %s@example.com and s@example.com is a domain account on the AD server, the domain user can enter s in Username to log in to the service plane. | %s@example.com | Query syntax | You can set filter criteria to specify the user range. After the filter criteria are set, only remote users who meet the filter criteria can log in to the service plane. NOTE:You are advised to set filter criteria for querying users. The maximum number of remote users meeting the query criteria cannot exceed 1000. You are advised not to use sensitive data as filter criteria because the LDAP server protects sensitive data and does not allow the data to be queried by external systems.
| (&(objectClass=user)(memberof= CN=example, dc=com)) |  The differences between Fixed User, Login user DN, and Email address are as follows: In Fixed User mode, remote user groups can be synchronized. Therefore, you need to obtain the DN and password for the LDAP server administrator. In Login user DN or Email address mode, remote user group information cannot be synchronized. In Fixed user mode, you can locally disable the remote users who have been deleted from the remote server. In Login user DN or Email address mode, the system does not support this function.
Table 3 User Attributes parametersParameter | Description | Example |
|---|
User base DN | Base DN used for querying a user. | DC=test, DC=com | User object class name | Class name of a user in the LDAP server schema. | user | Unique user ID | Keyword of a user in the corresponding LDAP server schema. | sAMAccountName | User full name attribute name | Full name attribute name of a user in the corresponding LDAP server schema. | name | User description attribute name | Description attribute name of a user in the corresponding LDAP server schema. | description | User country or region code | Country/region code attribute name of a user in the corresponding LDAP server schema. | +86 | User mobile number | Mobile number attribute name of a user in the corresponding LDAP server schema. | mobile | User mobile number format | Mobile number format attribute name of a user in the corresponding LDAP server schema. | Mobile number | User's user group attribute name | User group attribute name of a user in the corresponding LDAP server schema. NOTE:When Windows AD is configured on the LDAP server, the correct user groups can be returned only after User group member attribute name in User Group Attributes is set. | memberOf | ServerInfo | The server information is configured to filter the binding relationship between a user and the user's user group. | - | User's user group separator | Separator of user groups to which remote users belong. The value is obtained from the remote server. If this parameter is not set or there is only one user group on the remote server, you can set this parameter to a special character, such as semi-colon (;), exclamation mark (!), or colon (:), that is not allowed in the remote user group name. | , | Table 4 User Group Attributes parametersParameter | Description | Example |
|---|
User group base DN | Base DN used for querying a user group. | OU=usergroup, DC=test, DC=com | User group object class name | Class name of a user group in the corresponding LDAP server schema. | group | Unique user group ID | Keyword of a user group in the corresponding LDAP server schema. | name | User group member attribute name | User attribute name of a user group in the corresponding LDAP server schema. NOTE:When Windows AD is configured on the LDAP server, the correct user groups can be returned only after this parameter is set. | member | User group description attribute name | Description attribute name of a user group in the corresponding LDAP server schema. | description | Table 5 User-to-User Group Bindings parametersParameter | Description | Example |
|---|
Use locally stored bindings | When a remote user logs in to iMaster NCE-Campus, the remote user belongs to the locally bound role if this parameter is selected. | - | Use remotely stored bindings | When a remote user logs in the service plane, the user belongs to the user group bound to the remote server. If the remote user group has a local role with the same name and the mapping between the remote user group and the local role is not configured, the remote user is automatically bound to the local role with the same name. If the remote user group does not have a local role with the same name, you need to configure the mapping between the remote user group and the local role. After the mapping is configured, the remote user is bound to the local role mapping to the remote user group. If this parameter is not set, the remote user will lose the authorization of the user group.
NOTE:User group names on the LDAP server cannot contain the value of User's user group separator and must meet the naming rule of Role. | - | Table 6 Other parametersParameter | Description | Example |
|---|
Local user authentication | If Local user authentication is selected for LDAP authentication, local users and third-party users are authenticated locally, and remote users are authenticated on the remote server. NOTE:If Local user authentication is selected for LDAP authentication, a remote user with the same username as a local user cannot log in. You are not advised to create a remote user with the same username as a user in the local system. If Local user authentication is not selected for LDAP authentication, the system administrator user is authenticated locally, and the third-party users and remote users are authenticated on the remote server. NOTE:If Local user authentication is not selected for LDAP authentication, and the username of the user on the remote server is the same as the name of a created local user: NOTICE:If the attributes of a user with the same username change, the user may fail to log in to the system or the user permissions may change. Therefore, you are not advised to create a remote user with the same username as an existing user in the system. After the user on the remote server logs in to the system through the login page, the type of the created local user is changed to a remote user. After the user on the remote server logs in to the system by calling an interface, the user type of the created local user or remote user is changed to a third-party user.
| - | User management | If User management is selected for LDAP authentication, system administrators can manage local users, third-party users, and remote users. If User management is not selected, the following situations occur: If Local user authentication is enabled for LDAP authentication, system administrators can manage local users, and perform certain operations on third-party users and remote users, such as creating, querying, exporting, and modifying the users. If Local user authentication is not enabled for LDAP authentication, system administrators can only query and modify users.
| - | Allow ungrouped users to log in | If Allow ungrouped users to log in is selected, remote users who are not bound with user groups can log in to iMaster NCE-Campus. If Allow ungrouped users to log in is not selected, remote users who are not bound with user groups cannot log in to iMaster NCE-Campus.
| - | Disable users who are synchronized remotely but do not exist at the remote end | If Disable users who are synchronized remotely but do not exist at the remote end is selected and LDAP authentication is enabled, the system can disable the remote users who have been synchronized to iMaster NCE-Campus and deleted from the LDAP server. If Disable users who are synchronized remotely but do not exist at the remote end is not selected, the system does not disable the remote users who have been synchronized to iMaster NCE-Campus and deleted from the LDAP server.
| - | Report server exception alarm | If this parameter is enabled, the system checks the connection to the LDAP server based on Server check interval. If the connection fails, the system immediately reports an alarm. | - | Server check interval | After LDAP authentication is enabled, the system checks the connection between the active and standby LDAP servers at an interval specified by this parameter. | 5 |
|
