ad authentication...base dn dc=adtest,dc=zs user dn cn=administrator,cn=users,dc=adtest,dc= zs...
TRANSCRIPT
AD Authentication
Version: ZStack 3.8.0
Issue: V3.8.0
in Enterprise Management Tutorial
AD Authentication / Copyright Statement
Issue:V3.8.0 I
Copyright Statement
Copyright © 2020 Shanghai Yunzhou Information and Technology Ltd. All rights reserved.
Without its written consent, any organization and any individual do not have the right to extract,
copy any part or all of, and are prohibited to disseminate the contents of this documentation in any
manner.
Trademark
Shanghai Yunzhou Information and Technology Ltd. reserves all rights to its trademarks, including
, but not limited to ZStack and other trademarks in connection with Shanghai Yunzhou Information
and Technology Ltd.
Other trademarks or registered trademarks presented in this documentation are owned or
controlled solely by its proprietaries.
Notice
The products, services, or features that you purchased are all subject to the commercial contract
and terms of Shanghai Yunzhou Information and Technology Ltd., but any part or all of the
foregoing displayed in this documentation may not be in the scope of your purchase or use.
Unless there are additional conventions, Shanghai Yunzhou Information and Technology Ltd. will
not claim any implicit or explicit statement or warranty on the contents of this documentation.
In an event of product version upgrades or other reasons, the contents of this documentation will
be irregularly updated and released. Unless there are additional conventions, this documentat
ion, considered solely as a using manual, will not make any implicit or explicit warranty on all the
statements, information, or suggestions.
AD Authentication / Contents
II Issue: V3.8.0
Contents
Copyright Statement................................................................................ I1 Introduction...........................................................................................12 Preparations..........................................................................................23 Add an AD Server................................................................................ 34 3rd Party User Login......................................................................... 15Glossary................................................................................................ 16
AD Authentication / 1 Introduction
Issue: V3.8.0 1
1 Introduction
The 3rd Party Authentication service seamlessly integrates 3rd party login authentication systems
with the platform. After the authentication, all related 3rd party users can log in to the platform to
use cloud resources directly and conveniently. Currently, you can add an AD server or an LDAP
server to the platform.
• AD Authentication:
Active Directory (AD) is a directory service that runs on the Windows Standard Server,
Windows Enterprise Server, and Windows Datacenter Server. The AD service provides a set
of independent and standard login authentication systems for increasingly diverse enterprise
applications.
After an AD server is added, all related AD users and organizations can be synchronized to
the platform. These AD users can log in to the platform by using their original accounts and
passwords according to specified login attribute.
AD Authentication / 2 Preparations
2 Issue: V3.8.0
2 Preparations
Before you add an AD server, make the following preparations:
• Make the AD server ready. Two AD servers can be seamlessly switched between the primary
one and the secondary one.
• Install the latest version of ZStack.
• The 3rd Party Authentication function is dependent on the Enterprise Management module.
Make sure that the related license is available.
AD Authentication / 3 Add an AD Server
Issue: V3.8.0 3
3 Add an AD Server
Context
The basic steps to add an AD server are as follows:
1. Configure the AD server: Set basic information and configuration information about the AD
server.
2. Synchronize mapping rules: Set the login attribute, and the user/organization mapping between
AD and the platform.
3. Confirm and submit the configurations: Check the configured information about the AD
server. Note that you can go back to the previous step by clicking the Edit icon to modify the
configurations.
The following is an example of adding an AD server to the platform.
Table 3-1: AD server configuration
Parameter Example Value
Primary Server IP/Domain 172.20.198.187
SSL/TLS Encryption Supported
Primary Port 636
Base DN dc=adtest,dc=zs
User DNCN=Administrator,CN=Users,DC=adtest,DC=zs
Password password
Filter Rule (&(name=filterName)(description=departure))
Table 3-2: User mapping rule
Platform Parameter AD Parameter
Login Attribute cn
User Name cn
Name name
Phone Number telephoneNumber
Mail mail
AD Authentication / 3 Add an AD Server
4 Issue: V3.8.0
Platform Parameter AD Parameter
Identifier employeeID
Description description
Table 3-3: Organization mapping rule
Platform Parameter AD Parameter
Mapping Type Group
Name cn
Description description
Procedure
1. Configure the AD server: Configure basic information about the AD server.
a) In the left-side pane of ZStack Private Cloud, choose Advanced Function > Enterprise
Management > 3rd Party Authentication.
b) Click Add AD/LDAP Server.
c) In the Server Type field, select AD.
d) Configure the following parameters:
• Basic Information
▬ Name: Enter a name for the AD server.
▬ Description: Optional. Enter the description of the AD server.
▬ Primary Server IP/Domain: Enter the IP address or domain name of the primary
server.
▬ SSL/TLS Encryption: Specify whether to enable SSL/TLS encryption. The checkbox
is selected by default.
■ When selected, SSL/TLS encryption is enabled, and the port number is 636 by
default. You can customize the port number as needed.
■ When deselected, SSL/TLS encryption is not enabled, and the port number is 389
by default. You can customize the port number as needed.
▬ Primary Port: Enter the port number of the primary server.
▬ Secondary Server IP/Domain: Optional. Enter the IP address or domain name of the
secondary server.
▬ Secondary Port: Optional. Enter the port number of the secondary server.
AD Authentication / 3 Add an AD Server
Issue: V3.8.0 5
• Configuration
▬ Base DN: Enter the base DN. It specifies the point from which to search for an AD
user or an AD organization.
▬ User DN: Enter the user DN. It specifies the user that can search for all users under
the base DN.
▬ Password: Enter the login password of the corresponding user under the user DN.
▬ Filter Rule: Set the filter rule to filter out users that not to be synchronized under the
base DN.
Note:
• The length of the filter rule is determined by the AD server configuration. Note that
the filter rule will be invalid if it is longer than the allowed length.
• The syntax of the filter rule follows that of the AD filter rule. For example, if the
filter rule is (&(name=Bob)(description=departure)), it means to filter out the user
or users named Bob with description departure under the base DN. For more
information about the AD filter rule syntax, see Microsoft website.
▬ Test Connection: Test the connection between the AD server and the platform.
■ If the connection succeeds, click Next for further steps.
■ If the connection fails, modify the configuration and test the connection again until
the connection succeeds.
■ You can also skip Test Connection and directly click Next. The system will test
the connection automatically and go to the next step if the connection succeeds.
As shown in Figure 3-1: Configure AD server.
AD Authentication / 3 Add an AD Server
6 Issue: V3.8.0
Figure 3-1: Configure AD server
2. Synchronize mapping rules: Set the login attribute, and the user/organization mapping between
AD and the platform.
Configure the following parameters:
• Login Attribute (for AD Authentication): Set the login attribute. It determines the type of
AD accounts that can be authorized to log in to the platform.
AD Authentication / 3 Add an AD Server
Issue: V3.8.0 7
For example, if the attribute of cn is mapped as the login attribute, the synchronized AD
user will log in to the platform with the corresponding value of cn in AD (for example, Bob).
• User Mapping: Set the user mapping between AD and the platform.
▬ User Name: Set the mapping of user name between AD and the platform.
For example, if the attribute of cn is mapped as the user name, the synchronized AD
user will make its user name in the platform as the corresponding value of cn in AD (for
example, Bob).
Note:
• The user name in the platform must be unique.
• If the user name is identical with another one, the synchronized AD user will be given
a random code to its user name.
▬ Name: Set the mapping of name between AD and the platform.
For example, if the attribute of name is mapped as the name, the synchronized AD
user will make its name in the platform as the corresponding value of name in AD (for
example, Tom).
▬ Phone Number: Optional. Set the mapping of phone number between AD and the
platform.
For example, if the attribute of telephoneNumber is mapped as the phone number, the
synchronized AD user will make its phone number in the platform as the corresponding
value of telephoneNumber in AD (for example, 13800000000).
▬ Mail: Optional. Set the mapping of mail between AD and the platform.
For example, if the attribute of mail is mapped as the email address, the synchronized
AD user will make its email address in the platform as the corresponding value of mail in
AD (for example, [email protected]).
▬ Identifier: Optional. Set the mapping of identifier between AD and the platform.
For example, if the attribute of employeeID is mapped as the identifier, the synchronized
AD user will make its identifier in the platform as the corresponding value of employeeID
in AD (for example, 001).
▬ Description: Optional. Set the mapping of description between AD and platform.
AD Authentication / 3 Add an AD Server
8 Issue: V3.8.0
For example, if the attribute of description is mapped as the description, the
synchronized AD user will make its description in the platform as the corresponding value
of description in AD (for example, senior developer).
▬ Custom Attributes: Customize the user attributes. You can add up to 5 custom
attributes at one time.
Examples:
• System User Attribute: Set the system user attribute. It can be duplicated with the
added attributes above.
For example, if the attribute of employeeID is mapped as the system user attribute,
the synchronized AD user will make its system user attribute in the platform as the
corresponding value of employeeID in AD (for example, 001).
• AD/LDAP User Attribute: Set the AD user attribute.
For example, if the attribute of cn is mapped as the AD user name, the synchronized
AD user will make its AD user attribute in the platform as the corresponding value of
cn in AD (for example, Bob).
• Organization Mapping: Set the organization mapping between AD and the platform. The
AD organization under the base DN can be synchronized to the platform by Group or by
OU.
▬ Synchronize Organization Mapping: Specify whether to synchronize the organization
according to the organization mapping rule. This checkbox is deselected by default.
■ When deselected, the AD organization will not be synchronized to the platform when
AD server is added.
■ When selected, the AD organization under the base DN will be synchronized to the
platform.
▬ Mapping Type: Select the organization mapping type.
■ Group: This parameter specifies the corresponding child domain according to the
group type, and synchronizes the AD organization under the domain to the platform.
(Recommended)
■ OU: This parameter specifies the corresponding child domain according to the OU
type, and synchronizes the AD organization under the domain to the platform.
▬ Name: Set the mapping of organization name between AD and the platform.
AD Authentication / 3 Add an AD Server
Issue: V3.8.0 9
For example, if the attribute of cn is mapped as the organization name, the synchronized
AD organization will make its organization name in the platform as the corresponding
value of cn in AD (for example, development department).
▬ Description: Optional. Set the mapping of organization description between AD and the
platform.
For example, if the attribute of description is mapped as the organization description,
the synchronized AD organization will make its organization description in the platform
as the corresponding value of description in AD (for example, backend development
department).
• Next: Click Next. Then the system will test the configurations automatically and synchronize
the mapping rule if the test succeeds.
▬ If the test fails, modify the configurations and click Next to perform the test again until the
test succeeds.
As shown in Figure 3-2: Synchronize mapping rules.
Figure 3-2: Synchronize mapping rules
AD Authentication / 3 Add an AD Server
10 Issue: V3.8.0
3. Confirm and submit the configurations.
Check the configured information about the AD server. Note that you can go back to the
previous step by clicking the Edit icon to modify the configurations.
As shown in Figure 3-3: Confirm and submit.
Figure 3-3: Confirm and submit
What's next
• After the AD server is added, the admin, platform admin, and platform members can view the
synchronized users and organizations.
AD Authentication / 3 Add an AD Server
Issue: V3.8.0 11
As shown in Figure 3-4: 3rd Party Users and Figure 3-5: Organization.
Figure 3-4: 3rd Party Users
Figure 3-5: Organization
• The admin, platform admin, and platform members can perform the following operations on the
AD server:
▬ Test Connection: Test the connection between the AD server and the platform.
If the connection fails, troubleshoot this issue according to the following possible reasons:
• The AD server IP/port authentication failed. Check whether the AD server is available,
and whether the IP/port is changed.
• The user DN or password connection failed. Use the latest authenticated user DN and
password within the base DN.
AD Authentication / 3 Add an AD Server
12 Issue: V3.8.0
▬ Modify Synchronized Mapping Rule: Modify the synchronized user mapping rule and the
organization mapping rule.
■ The modified mapping rule will take effect when the AD server is synchronized next time.
■ You can click Synchronize or enable Auto Synchronize to trigger the AD server
synchronization.
▬ Synchronize: Synchronize the AD server.
■ If enabled, the latest user list and organizations will be synchronized.
■ After synchronization, users that do not exist will be in the deleted state and cannot log in
to the platform any more.
▬ Delete: Delete the AD server.
■ If you delete the AD server, the corresponding users and organizations will also be
deleted. Please exercise caution.
▬ Modify Configuration: Modify the configurations, including the base DN, user DN,
password, and filter rule.
■ If the configurations are modified, the AD server will be updated according the latest
configurations. Please exercise caution.
■ The modified configurations will take effect when the AD server is synchronized next time
.
■ You can click Synchronize or enable Auto Synchronize to trigger the AD server
synchronization.
■ After synchronization, users that do not exist will be in the deleted state and cannot log in
to the platform any more.
As shown in Figure 3-6: Modify Configuration.
AD Authentication / 3 Add an AD Server
Issue: V3.8.0 13
Figure 3-6: Modify Configuration
▬ Auto Synchronize: Automatically synchronize the latest user list and organizations
according to the specified synchronized cycle.
■ If enabled, the latest user list and organizations will be synchronized according to the
specified synchronized cycle.
■ After synchronization, users that do not exist will be in the deleted state and cannot log in
to the platform any more.
As shown in Figure 3-7: Auto Synchronize.
AD Authentication / 3 Add an AD Server
14 Issue: V3.8.0
Figure 3-7: Auto Synchronize
▬ Convert to Local User: Convert the users in the deleted state to the local users.
■ The converted local users inherit their original data. For example, they inherit their
original permissions in certain projects.
■ The converted local users can log in to the platform again after their passwords are
changed.
AD Authentication / 4 3rd Party User Login
Issue: V3.8.0 15
4 3rd Party User Login
The 3rd party users can log in to the platform.
1. Open Chrome or Firefox and enter http://your_machine_ip:5000/#/project.
2. Select AD/LDAP User, and enter the corresponding user name and password to log in to the
platform.
Note:
• The 3rd party users have the same permissions as local users do. For example, you can add
3rd party users to a project or department, or configure permission for them.
• Before a 3rd party user could work as a local user, make sure that the user is added to a
project and granted relevant permissions. Otherwise, a blank page will be displayed when the
user logs in to the platform.
As shown in Figure 4-1: AD/LDAP User Log In.
Figure 4-1: AD/LDAP User Log In
AD Authentication / Glossary
16 Issue:V3.8.0
Glossary
ZoneA zone is the largest resource scope defined in ZStack, covering resources such as clusters, L2
networks, and primary storages.
ClusterA cluster is the logical collection of a group of hosts (compute nodes). All hosts in the cluster must
have the same operating system, the same network configuration, and be able to access the
same primary storage. In a physical data center, a cluster usually refers to a rack.
Management NodeA management node is a host with operating system installed to provide UI management and
cloud platform deployment.
Compute NodeA compute node is a physical server (also known as a host) that provides VM instances with
compute, network, and storage resources.
Primary StorageA primary storage is a storage server used to store disk files in VM instances. Local storage, NFS,
Ceph, Shared Mount Point, and Shared Block are supported.
Backup StorageA backup storage is a storage server used to store image template files. Image store, SFTP
(Community Edition), and Ceph are supported. We recommend that you deploy backup storage
separately.
Image StoreImage Store is a type of backup storage. You can use Image Store to create images for VM
instances that are in the running state and manage image version updates and release. Image
Store allows you quickly upload, download, export images, and create image snapshots as
needed.
AD Authentication / Glossary
Issue:V3.8.0 17
VM InstanceA VM instance is a virtual machine instance running on a host. A VM instance has its own IP
address to access public network and run application services.
ImageAn image is an image template used by a VM instance or volume. Image templates include
system volume images and data volume images.
VolumeA volume can either be a data disk or a root disk. A volume provides additional storage space for
VM instances. A shared volume can be attached to one or more VM instances.
Instance OfferingInstance offering defines the CPU quantity, memory, and network settings for starting a VM
instance.
Disk OfferingDisk offering defines the size of volumes used by a VM instance.
L2 NetworkA L2 Network is a layer 2 broadcast domain used for layer 2 isolation. Generally, L2 networks are
identified by names of devices on the physical network.
L3 NetworkA L3 Network is a collection of network configurations for VM instances, including the IP address
range, gateway, and DNS.
Public NetworkA public network is generally allocated with a public IP address by Network Information Center
(NIC) and can be connected to IP addresses on the Internet.
Private NetworkA private network is the internal network that can be connected and accessed by VM instances.
AD Authentication / Glossary
18 Issue:V3.8.0
L2NoVlanNetworkL2NoVlanNetwork is a network type for creating a L2 network. If L2NoVlanNetwork is selected,
VLAN settings are not used for host connection.
L2VlanNetworkL2VlanNetwork is a network type for creating a L2 network. If L2VlanNetwork is selected, VLAN
settings are used for host connection and need to be configured on the corresponding switches in
advance.
VXLAN PoolA VXLAN pool is an underlay network in VXLAN. You can create multiple VXLAN overlay
networks (VXLAN) in a VXLAN pool. The overlay networks can operate on the same underlay
network device.
VXLANA VXLAN network is a L2 network encapsulated by using the VXLAN protocol. A VXLAN network
belongs to a VXLAN pool. Different VXLAN networks are isolated from each other on L2 network.
vRouterA vRouter is a custom Linux VM instance that provides various network services.
Security GroupA security group provides L3 network firewall control over the VM instances. It can be used to set
different security rules to filter IP addresses, network packet types, and the traffic flow of network
packets.
EIPAn elastic IP (EIP) address is a method to access a private network through a public network.
SnapshotA snapshot is a data state file in a disk duplicated at a particular time point. A snapshot can be
either an automatic snapshot or a manual snapshot.