Background
Centrastor provides the functionality to link your virtual portal to your domain controller to enable Active Directory (AD) integration. The scope of the integration is limited to fetching and synchronizing of AD user accounts with the virtual portal.
When integrated with a directory service, the Centrastor Portal fetches user data from the directory upon the following events:
- An administrator can manually fetch specific users from the directory.
- If a user attempts to log in, but does not yet have a local Centrastor Portal account, their user account is automatically fetched from the directory.
- The Centrastor Portal automatically re-fetches all previously fetched directory users, every day at midnight, as part of the daily "Apply provisioning changes" task.
- An administrator can force a re-synchronization of all previously fetched directory users, by running the Apply Provisioning Changes Wizard.
Security Implications
Please be aware that AD integration without SSL support (LDAPS) is insecure as it does not encrypt the credentials used in the Directory Services set-up on the portal. So the account details used to query AD are passed over the network in plain text (LDAP simple bind). To enable SSL support requires your Domain Controllers to use SSL certificates and for those certificates to be uploaded to the portal. This is a non-trivial task explained in some detail here: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
Enabling AD Integration with Centrastor
To integrate a virtual portal with an Active Directory domain, tree, or forest.
- In the navigation pane, click Users > Directory Services.
- Click Settings.
- The Directory Services Wizard appears, displaying the Synchronization Settings dialog box
- Complete the fields using the information in the table following this procedure.
- Click Next
- The UID/GID Mappings dialog box appears.
- To add the other domains in the tree/forest, do the following for each one:
- In the Add domain field, either type the desired domain's name, or select it from the drop-down list.
- Click Add.
- The domain appears in the table.
- Click in the UID/GID Start field, and type the starting number in the range of the Centrastor Portal user and group IDs (UID/GID) that should be assigned to users and user groups from thisdomain.
- Click in the UID/GID End field, and type the ending number in the range of the Centrastor Portal user and group IDs (UID/GID) that should be assigned to users and user groups from this domain.
- To re-order the domains, do any of the following:
- To move a domain up in the table, click on the desired domain, then click Move Up.
- To move a domain down in the table, click on the desired domain, then click Move Down.
Note: The order in which domains appear in the table represents the order in which the domains will appear in drop-down lists throughout the Centrastor Portal interface.
14. To remove a domain, in their row, click .
The domain is removed from the table.
15. Click Next.
The Access Control dialog box appears.
16. Add each Active Directory user and user group that should be allowed to access the virtual portal, by doing the following:
16a. In the drop-down list, select one of the following:
- Users. Search the users defined in Active Directory.
- Groups. Search the user groups defined in Active Directory.
16b. In the Quick Search field, type a string that appears anywhere within the name of the user or user group you want to add, then click .
16c. Select the desired user or user group in the table.
The user or user group appears in the Quick Search field.
16d. Click Add.
The user or user group is added to the list of users and user groups who should have access to the virtual portal.
17. To remove a user or user group, in their row, click
The user or user group is removed from the list.
18. In each user and user group's row, click in the Role column, then select the desired user role from the drop-down list.
Options include Disabled, End User, Read Only Administrator, and Read/Write Administrator. For information on these roles, see User Manager Profile Fields.
The Wizard Completed screen appears.
19. Click Finish. The User data is fetched from Active Directory, and the Apply Changes window opens displaying Running screen with a progress bar that tracks the operation's progress.
To stop the process, click Stop. To close the progress bar, while the process continues in the background, click Continue in Background.
When the operation is complete, the Completed screen appears.
20. Click Close.
Synchronization with Active Directory is enabled.
Field Name |
Field Description |
Enable Directory Synchronization |
Select this option to enable integration with an Active Directory domain. |
Directory Type |
Select Active Directory as the type of directory with which to integrate the Centrastor Portal. |
Use SSL |
Select this option to connect to the Active Directory domain using SSL. |
Use Kerberos |
Select this option to use the Kerberos protocol for authentication when communicating with the Active Directorydomain. This is useful for achieving Single Sign On (SSO) with Windows computers. If unchecked, LDAP is used. Note: Only one virtual portal, per system, can use Kerberos. |
Domain |
Type the name of Active Directory domain with which you want to synchronize users. |
Username |
Type the username that the Centrastor Portal should use for authenticating to Active Directory. |
Password |
Type the password that the Centrastor Portal should use for authenticating to Active Directory. |
Organizational Unit |
Type the name of the organizational unit (OU) within the Active Directory domain. This field is optional. |
Manually specify domain controller addresses |
Select this option to manually specify the IP address of the Active Directory domain controller(s). If unchecked, DNS is used to automatically find the Active Directory domain controller(s). |
Primary |
If you selected Manually specify domain controller addresses, type the address of the primary Active Directory domain controller. |
Secondary |
If you selected Manually specify domain controller addresses, type the address of the secondary Active Directory domain controller. |
For more information please contact support@redstor.com
Comments
0 comments
Article is closed for comments.