Use Bastionhost to maintain servers as an AAD user - Best-Practices| Alibaba Cloud Documentation Center

If you use Azure Active Directory (Azure AD) and you want to import the users of Azure AD to Bastionhost to manage servers as an Azure AD user, you can configure secure Lightweight Directory Access Protocol (LDAP) accounts of Azure AD. Then, use the feature of LDAP user import to import Azure AD users. LDAP user import is provided in Bastionhost user management. Azure AD is shortened to AAD. This topic describes how to import AAD users to Alibaba Cloud Bastionhost.

Prerequisites

Before you import AAD users, the following configurations must be complete in the Azure portal:

AAD is deployed and an AAD account is created. For more information, see Create a managed domain in the Microsoft official documentation.
Secure LDAP is enabled, and user roles are configured. For more information, see Configure secure LDAP in the Microsoft official documentation.

Notice A newly created AAD account is deactivated. When you use the AAD account to log on to the Azure portal, the system prompts that you must reset the password before you can log on to the Azure portal by using this account. You must reset the password as prompted and log on to the Azure portal to activate the account. Otherwise, the account fails the authentication by Bastionhost.

Background information

AAD is a special Active Directory (AD) service. AAD users cannot be directly imported to Bastionhost. You must enable secure LDAP for AAD and use the feature of LDAP user import to import AAD users. Then, you can use Bastionhost to maintain servers as an AAD user.

Step 1: Connect Bastionhost to secure LDAP of AAD

Log on to the Bastionhost console.
In the left-side navigation pane, click System Settings.
On the System Settings page, click the LDAP Authentication tab.

On the LDAP Authentication tab, configure the parameters. Connect Bastionhost to secure LDAP

The following table describes the parameters.


Parameter	Description
Server Address	The IP address of the required AAD server. Note You must set this parameter to the external IP address that is used for the secure LDAP service. You can obtain the external IP address in the Azure portal.
Port	The port number of the required AAD server. Set this parameter to 636. Note You must set this parameter to the port number that is used for the secure LDAP service. The value of this parameter is the same as the TCP port 636 in the inbound security rule that you configured in the Azure portal. This security rule allows secure LDAP access over the Internet to your hosted domain.
Base DN	The Base distinguished name (DN) of the required AAD server
Account	The account of the required AAD server.
Password	The password of the required AAD server.

Click Test Connection.
After the test succeeds, click Update.

Step 2: Import LDAP users and authorize hosts for the users

Log on to the Bastionhost console.
In the left-side navigation pane, choose Users > Users.
On the Users page, click Import Other Users and select Import LDAP Users.
In the dialog box that appears, select the LDAP users that you want to import and click Import.
Import hosts to Bastionhost.
For more information, see Add hosts.
Authorize hosts for the imported users.
For more information, see Authorize a user to manage hosts.
Use Remote Desktop Protocol (RDP) or SSH to check whether the imported users can perform O&M operations on the hosts.
For more information, see RDP-based O&M and SSH-based O&M.