Administration - Active Directory¶
User management on the X1 Server can be used in combination with Microsoft's Active Directory® (AD) service. This service makes it possible to match user names and passwords with those in the Active Directory during login. Other user data, such as e-mail addresses and phone numbers, can also be copied from the Active Directory. This approach helps ensure that a company's security requirements are fulfilled.
Use the Active Directory menu in the Administration module to configure directory services for use with the X1 Server.
A separate Active Directory configuration is possible for every customer. Active Directory users can then be added to the users of this customer.
The user names and passwords of these users must be entered in the directory service beforehand.
The properties assigned to a user, such as name and e-mail address, are copied from the directory service to User Management, where they can be updated manually. In contrast to all other user data, the login name and password are not stored on the X1 Server and cannot be changed. When an Active Directory user logs on to the X1 Server, the entered login information is compared with the information in the directory service.
If the service is not available, it is not possible to log on.
A Customer can contain users with both type Active Directory and type Local – the latter can only be used on the X1 Server.
The Active Directory view provides an overview of the directory service configurations for all Customers.
Creating an Active Directory configuration¶
The Create button opens the Create Active Directory configuration wizard, which guides you through the configuration of an Active Directory for use with the X1 Server.
As soon as you save the configuration, you can assign the users of a Customer to users in the Active Directory.
Customer¶
On the Customer side, first select the Customer you want to be able to use users from an Active Directory.
You can only assign one Active Directory to each Customer. Therefore, this page only displays Customers for which no Active Directory has been configured yet.
Settings¶
Enter a meaningful name and a description for the Active Directory configuration on the Settings page.
Configuration¶
Type¶
Choose whether your Active Directory has the type AD-DS (Domain Services) or AD-LDS (Lightweight Directory Services).
Hostname¶
Host name or IP address of the server where the Active Directory is installed.
Port¶
Port of the server where the Active Directory is installed (default: 389)
User¶
Name of the user to be used to log on to the Active Directory.
Password¶
Password of the user to be used to log on to the Active Directory.
Confirm Password¶
Confirmation (repetition) of the user to be used to log on to the Active Directory.
Use SSL (StartTLS)¶
Select the checkbox Use SSL (StartTLS) to use SSL for data transfer.
If the checkbox Use SSL (StartTLS) is not selected (default setting), communication with the server where the Active Directory is installed is not encrypted. If you are sure that the Active Directory you want to use supports SSL, we recommend activating this option for security reasons.
Container¶
Node in the tree structure of the Active Directory that the X1 Server should use as the starting point to search for users.
The search for users is performed top-down within the Active Directory, that is, starting with the top entry and continuing to the bottom one. Users that lie above the specified container are not taken into account and therefore not displayed in User Management.
The syntax for the path specification uses the following notation:
CN=users,DC=my,DC=organization,DC=domain
You can see an example in the application Active Directory Users and Computers. To copy the container path, first right-click the folder icon with the required Organizational Unit. Then choose Properties from the context menu. A window appears, displaying the properties of the organizational unit. On the Attribute Editor tab, select the distiguishedName attribute with the mouse and then click the View button. Copy the full text from the Value text field and paste it in the Container text field in the Active Directory wizard of the X1 Server. The Attribute Editor tab is only displayed if the Advanced Features option is active in the View menu.
Context Options¶
Select the appropriate context option.
Negotiate (Default)¶
Client authentication is performed using either Kerberos or NTLM. If the user name and password are not provided, the security context of the calling thread is used to bind the ADSI object. This is either the security context of the user account under which the application is being executed or that of the client user account whose identity is represented in the calling thread.
SimpleBind¶
Standard authentication is used for client authentication. Caution: If the SecureSocketsLayer option is not specified with a simple bind, communications may be sent over the Internet as plain text.
Signing¶
The integrity of the data is verified. This flag can only be used together with the negotiate context option. It is not available for simple binding options.
Sealing¶
Data encryption is performed using Kerberos. This flag can only be used together with the negotiate context option. It is not available for simple binding options.
ServerBind¶
Select this flag if you use the domain context type and want the application to create a bind for a specific server name.
The descriptions of the ContextOptions were taken from the Microsoft Developer Network®.
Display¶
All Active Directory configurations are displayed in a List.
Menu of the Active Directory list¶
Editing an Active Directory configuration¶
The Edit icon opens the Edit Active Directory configuration view, in which all the configuration data can be changed – with the exception of the Customer.
Save saves the changes and returns to the overview of all Customers.
Copying an Active Directory configuration¶
The Copy icon copies all the data from an Active Directory configuration. You merely need to select a new Customer and a new name.
Wizard: Copy Active Directory configuration
Select a Customer and enter a meaningful name for the configuration.
Deleting an Active Directory configuration¶
The Remove icon deletes the Active Directory configuration.
When users have been copied from an Active Directory and that Active Directory's configuration is deleted, these users are also deleted automatically.
If users contained in an Active Directory have been entered as process owners or as the recipients of alerts, you are prompted to assign these tasks to another user before the configuration is deleted.