All Products
Search

This Product

    Drive and Photo Service:Logon with AD/LDAP

    Document Center

    Drive and Photo Service:Logon with AD/LDAP

    Last Updated:Nov 25, 2025

    This topic describes how to configure Lightweight Directory Access Protocol (LDAP) to enable Drive and Photo Service (Developer Edition) to synchronize the organization structure and users in LDAP. After configuration, you can log on to Drive and Photo Service (Developer Edition) directly by using your LDAP account. This facilitates the management of users and teams in a drive.

    Prerequisites

    • You have the permissions to operate the PDS console. If you log on as a RAM user that has not been granted the relevant permissions (AliyunPDSFullAccess), you need to grant the permissions to the RAM user.

    • A PDS Developer Edition domain is created.

    • An LDAP server is deployed. The server address, port number, and Base DN information are required for connecting to the LDAP server.

    • The LDAP server is accessible over the Internet.

    Procedure

    Step 1: Configure LDAP login

    1. Go to the Domains page of the Drive and Photo Service (Developer Edition) console.

    2. In the upper-left corner of the page, select the region where the Developer Edition domain is located.

      image

    3. Find the domain that you want to configure and click Details in the Actions column.

      image

    4. On the domain details page, click the User Systems tab. On the User Systems tab, click Configure. The Configure PDS Logon Page panel appears.

    5. Turn on Enable Logon by LDAP and configure the parameters that are described in the following table.

      Parameter

      Sample value

      Description

      Hostname

      ldap://120.XX.XX.XX

      The address of the LDAP server. The address must start with Idap://. Format:

      • IP address: Idap://120.XX.XX.XX

      • Domain name: Idap://www.exmple.com

      Port

      389

      The default port number is 389. If the port number is modified, enter the new port number.

      UID

      sAMAccountName

      The username of the account when you log on to LDAP. The value must be the same as the property editor of LDAP.

      Administrator DN

      CN=admin,DC=chwl,DC=com

      The distinguished name (DN) of the administrator. The administrator must have access permissions on all users and organizations in BaseDN.

      Administrator Password

      *****

      Enter the login password of the administrator account in LDAP. The Drive and Photo Service (Developer Edition) server will log in to the LDAP system through this administrator account to read user information and complete the synchronization and login functions.

      BaseDN

      DC=chwl,DC=com

      This indicates that only organizational units and users within this directory scope can be synchronized to Alibaba Cloud Drive Enterprise Edition. To obtain BaseDN in a Windows AD environment, see Obtain BaseDN.

      Important

      Please fill in this item carefully and do not change it arbitrarily after it is added. When Drive and Photo Service (Developer Edition) synchronizes data with LDAP (or AD), if BaseDN changes, the organization directories of both parties will not be able to correspond, resulting in data synchronization failure.

    6. After you complete the configuration, click OK to save the settings.

    Step 2: Use LDAP login

    1. You can use the desktop client or a browser to access the URL https://domainID.apps.aliyunpds.com.

      Important

      When a browser is used, replace domainID with the actual value.

    2. On the login page, click AD/LDAP.

      image

    3. Enter the LDAP username and password to log in.

    Step 3: Configure LDAP account synchronization

    Important

    LDAP account synchronization is not enabled by default. If you need to use this feature, contact us to enable it.

    1. Log on to Drive and Photo Service (Developer Edition) with an administrator account and go to the Management Console.

    2. In the left navigation bar, select Exclusive Login Configuration > LDAP Configuration.

      image

    3. In the Login Synchronization Configuration section, click Edit.

    4. Fill in the Login Configuration.

      1. On the LDAP Configuration page, fill in the Login Configuration.

        登录配置

        The following table describes the parameters.

        Parameter

        Example value

        Description

        Login Username Field

        sAMAccountName

        This field is used as the account name when users log in. It must be consistent with the field in the attribute editor in LDAP.

        Display Name Field

        displayName

        This field is used as the display name of users in the cloud drive. It must be consistent with the field in the attribute editor in LDAP.

      2. Click The Next Step.

    5. Fill in the Synchronization Configuration.

      • If you do not need to enable the LDAP synchronization feature, skip this step. If you only enable the LDAP login feature without enabling synchronization configuration, any LDAP user within the organization scope can log in to the enterprise cloud drive. An account is automatically created when the user logs in, without an organization structure.

      • If you enable the synchronization feature, you can import users and organization structures from LDAP. Perform the following steps to configure synchronization:

        1. On the Synchronization Configuration page, turn on the Synchronization Configuration switch and configure the synchronization information.

          image

          The following table describes the parameters.

          Note

          • If you want to synchronize LDAP organizations and users, you need to set both teams and users.

          • If you only want to synchronize LDAP organizations, you only need to set teams.

          • If you only want to synchronize LDAP users, you only need to set users.

          Parameter

          Example value

          Description

          Team Object Classes

          organizationalUnit

          Abbreviated as OU, it is an AD container that can contain users, groups, computers, and other organizational units. It is the smallest scope or unit to which group policies can be assigned or administrative permissions can be delegated. Group is not supported.

          User Object Classes

          User

          Enter organizationalPerson, inetOrgPerson, or User.

          • organizationalPerson provides basic organization-related attributes.

          • inetOrgPerson provides all the attributes of organizationalPerson and adds attributes related to Internet communication.

          • User includes a specific set of attributes that are customized for user accounts of specific applications or organizations.

          Synchronization Time Setting

          Automatic synchronization

          Valid values of the parameter:

          • Manual synchronization: Manually synchronize organizations or users to the cloud drive. If you use manual synchronization, when the original data is updated, the changes are not synchronized to CDE. You must manually synchronize the data again. For example, in an enterprise personnel management scenario, if there are new employees, relevant changes may not be reflected in CDE in a timely manner. As a result, the new employees cannot log on to CDE.

          • Automatic synchronization: Synchronize organizations or users to the cloud drive according to the specified synchronization frequency and time. Set the synchronization frequency to daily, weekly, or monthly, and specify any o'clock time of a day as the synchronization time.

        2. Click Configuration Detection.

        3. Click Synchronize Now.

          After the synchronization is complete, the Import Result is displayed. If the import fails, the reason for the failure is displayed in the Import Result.

          image

        4. Click Confirm Import.

        5. In the Last Synchronization Information section, view the Last Synchronization Time and Last Synchronization Status. To view the details of the last synchronization, click Details on the right.

          image

    Appendix: Obtain server connection information in a Windows environment

    Appendix 1: Obtain BaseDN

    1. In the LDAP domain controller, navigate to Active Directory Users and Computers.

    2. Access the properties of the root directory you want to synchronize. For instance, to synchronize all units and users under chwl to PDS.

    3. Right-click the chwl properties and navigate to the Attribute Editor.

    4. Locate the distinguishedName attribute, double-click to open the String Attribute Editor, and copy the value DC=chwl,DC=com.

    Appendix 2: Obtain the administrator DN

    1. In the LDAP domain controller, navigate to Active Directory Users and Computers.

    2. Locate the administrator account, which has permission to access all organizational units and users under the BaseDN, right-click it, and choose Properties. Then navigate to the Attribute Editor.

    3. Locate the distinguishedName attribute, double-click it to open the String Attribute Editor, and retrieve the Value. For instance: CN=admin,DC=chwl,DC=com.

    References