If you use Azure Active Directory (Azure AD) and you want to import the users of Azure
AD to Bastionhost to manage servers as an Azure AD user, you can configure secure
Lightweight Directory Access Protocol (LDAP) accounts of Azure AD. Then, use the feature
of LDAP user import to import Azure AD users. LDAP user import is provided in Bastionhost
user management. Azure AD is shortened to AAD. This topic describes how to import
AAD users to Alibaba Cloud Bastionhost.
Prerequisites
Before you import AAD users, the following configurations must be complete in the
Azure portal:
- AAD is deployed and an AAD account is created. For more information, see Create a managed domain in the Microsoft official documentation.
- Secure LDAP is enabled, and user roles are configured. For more information, see Configure secure LDAP in the Microsoft official documentation.
Important A newly created AAD account is deactivated. When you use the AAD account to log on
to the Azure portal, the system prompts that you must reset the password before you
can log on to the Azure portal by using this account. You must reset the password
as prompted and log on to the Azure portal to activate the account. Otherwise, the
account fails the authentication by Bastionhost.
Background information
AAD is a special Active Directory (AD) service. AAD users cannot be directly imported
to Bastionhost. You must enable secure LDAP for AAD and use the feature of LDAP user
import to import AAD users. Then, you can use Bastionhost to perform O&M operations
on servers as an AAD user.
Step 1: Connect Bastionhost to secure LDAP of AAD
- Log on to the console of the bastion host.
- In the left-side navigation pane, click System Settings.
- On the System Settings page, click the LDAP Authentication tab.
- On the LDAP Authentication tab, configure the parameters.
The following table describes the parameters.
Parameter |
Description |
Server Address |
The IP address of the required AAD server.
Note You must set this parameter to the external IP address that is used for the secure
LDAP service. You can obtain the external IP address in the Azure portal.
|
Port Number |
The port number of the required AAD server. Set this parameter to 636.
Note You must set this parameter to the port number that is used for the secure LDAP service.
The value of this parameter is the same as the TCP port 636 in the inbound security rule that you configured in the Azure portal. This security
rule allows secure LDAP access over the Internet to your hosted domain.
|
Base DN |
The Base distinguished name (DN) of the required AAD server |
Account |
The account of the required AAD server. |
Password |
The password of the required AAD server. |
- Click Test Connection. After a connection is established, click Update.
Step 2: Import LDAP users and authorize hosts for the users
- Log on to the console of the bastion host.
- In the left-side navigation pane, choose .
- On the Users page, click Import Other Users and select Import LDAP Users.
- In the dialog box that appears, select the LDAP users that you want to import and
click Import.
- Import hosts to the bastion host.
- Authorize the hosts for the imported users.
- Use Remote Desktop Protocol (RDP) or SSH to check whether the imported users can
perform O&M operations on the hosts.