All Products
Search

This Product

    Bastionhost:Configure AD authentication or LDAP authentication

    Document Center

    Bastionhost:Configure AD authentication or LDAP authentication

    Last Updated:Jul 19, 2024

    Bastionhost can be connected to an Active Directory (AD) authentication server or a Lightweight Directory Access Protocol (LDAP) authentication server. Users on the AD authentication server or the LDAP authentication server can be synchronized to Bastionhost as Bastionhost users. This topic describes how to configure AD authentication and LDAP authentication.

    Prerequisites

    An AD environment or LDAP environment is deployed and Bastionhost can access the AD authentication server or LDAP authentication server.

    Configure AD authentication servers

    You can configure multiple AD authentication servers for a bastion host. If you want to import the users on multiple AD authentication servers in multiple domains or users under multiple base distinguished names (DNs) on an AD authentication server to a bastion host, you must configure multiple AD authentication servers and import users from each server. Then, the users can perform O&M operations on the assets that they are authorized to manage.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, click System Settings.

    4. On the AD Authentication tab, click Add Authenticated Server.

    5. In the Add Authenticated Server panel, configure the parameters and click Test Connection. The following table describes the parameters.

      Parameter

      Description

      Server Name

      The name of the AD authentication server. You can specify a unique name that can help you identify the server.

      Set as Default Server

      If you select this option, the authentication server that you configure will be used as the default server.

      Note

      You can call an API operation to modify only the default server. You can configure up to 10 AD authentication servers for a bastion host of the Enterprise edition. You can configure only one AD authentication server for a bastion host of the Basic edition.

      Server Address

      The endpoint of the authentication server.

      Standby Server Address

      Optional. The endpoint of the secondary server. If no secondary server is used, leave this parameter empty.

      Port

      The port of the server.

      SSL

      You must select this option if an SSL certificate is installed on the AD authentication server.

      Base DN

      The user directory node that is configured on the server.

      Note

      If the number of users under the base DN is too large, a long time is required to import the users. We recommend that you set the maximum number of users under the base DN to 100,000 before you start importing the users.

      Domain

      The domain in which the users to be imported reside.

      Account

      The username of the account that is used to log on to the authentication server.

      Password

      The password of account that is used to log on to the authentication server.

      Filter

      The filter conditions that you specify to query users on the server.

      Interval for Automatic Creation of User Snapshots

      The interval at which user snapshots are automatically created on your computer when the system synchronizes user data from the authentication server.

      Name to Be Synchronized

      Specifies whether to synchronize the name of the user. Enter the parameter that indicates the name of the user on the remote server, such as fullName. If you select this option but do not enter a value, the default value cn is used. If you clear this option, the name of the user is not synchronized.

      Note

      When the user logs on to the bastion host, verification is performed based on the username instead of the name of the user. By default, the value of sAMAccountName on the remote server is synchronized as the logon name.

      Email Address to Be Synchronized

      Specifies whether to synchronize the email address of the user. Enter the parameter that indicates the email address of the user on the remote server. Example: mail. If you select this option but do not enter a value, the default value mail is used. If you clear this option, the email address of the user is not synchronized.

      Mobile Phone Number to Be Synchronized

      Specifies whether to synchronize the mobile phone number of the user. Enter the parameter that indicates the mobile phone number of the user on the remote server, such as mobile. If you select this option but do not enter a value, the default value mobile is used. If you clear this option, the mobile phone number of the user is not synchronized.

      Synchronize the Organization to Which the User Belongs as a User Group

      If you select this option, when you import an AD-authenticated user to your bastion host, the organization to which the user belongs is automatically synchronized to the bastion host as a user group and the user is automatically added to the user group.

      • A bastion host supports up to 500 user groups. If the upper limit is reached, the organization to which the user belongs to is not synchronized to the bastion host as a user group.

      • After an organization is synchronized to the bastion host as a user group, the add, delete, and modify operations that are performed on the organizations are not synchronized to the bastion host.

    6. After the connectivity test is passed, click Save.

      To automatically synchronize the snapshots of AD-authenticated users, click Create User Snapshots or configure Interval for Automatic Creation of User Snapshots. When you import AD-authenticated users to the bastion host, the bastion host reads user data from local snapshots. This reduces resource consumption during the import.

    Configure LDAP authentication servers

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, click System Settings.

    4. On the LDAP Authentication tab, configure the parameters and click Test Connection. The following table describe the parameters.

      Parameter

      Description

      Server Address

      The endpoint of the authentication server.

      Standby Server Address

      Optional. The endpoint of the secondary server. If no secondary server is used, leave this parameter empty.

      Port

      The port of the server.

      SSL

      You must select this option if an SSL certificate is installed on the LDAP authentication server.

      Base DN

      The user directory node that is configured on the server.

      Note

      If the number of users under the base DN is too large, a long time is required to import the users. We recommend that you set the maximum number of users under the base DN to 100,000 before you start importing the users.

      Account

      The username of the account that is used to log on to the authentication server.

      Password

      The password of account that is used to log on to the authentication server.

      Filter

      The filter conditions that you specify to query users on the server.

      Logon Name Attribute

      The logon name of the user on the LDAP authentication server. The logon name corresponds to the name that needs to be verified upon user logon to the bastion host. Default value: uid.

      Interval for Automatic Creation of User Snapshots

      The interval at which user snapshots are automatically created on your computer when the system synchronizes user data from the authentication server.

      Name to Be Synchronized

      Specifies whether to synchronize the name of the user. Enter the parameter that indicates the name of the user on the remote server, such as fullName. If you select this option but do not enter a value, the default value cn is used. If you clear this option, the name of the user is not synchronized.

      Note

      When the user logs on to the bastion host, verification is performed based on the username, not based on the name of the user. By default, the value of uid on the remote server is synchronized as the logon name.

      Email Address to Be Synchronized

      Specifies whether to synchronize the email address of the user. Enter the parameter that indicates the email address of the user on the remote server. Example: mail. If you select this option but do not enter a value, the default value mail is used. If you clear this option, the email address of the user is not synchronized.

      Mobile Phone Number to Be Synchronized

      Specifies whether to synchronize the mobile phone number of the user. Enter the parameter that indicates the mobile phone number of the user on the remote server, such as mobile. If you select this option but do not enter a value, the default value mobile is used. If you clear this option, the mobile phone number of the user is not synchronized.

    5. After the connectivity test is passed, click Save.

      • If you no longer require LDAP authentication, click Clear Settings to clear the LDAP authentication configuration.

        Warning

        After you clear the LDAP authentication configuration, LDAP-authenticated users are removed from the bastion host. Proceed with caution.

      • To automatically synchronize the snapshots of LDAP-authenticated users, click Create User Snapshots or configure Interval for Automatic Creation of User Snapshots. When you import LDAP-authenticated users to the bastion host, the bastion host reads user data from local snapshots. This reduces resource consumption during the import.