3.2.1 Procedure to link with Active Directory

To link with Active Directory, you can select whether to link groups.

If you do not link groups, register the same user in both JP1/AO and Active Directory, and then use Active Directory to perform user authentication. There is no need to register a password in JP1/AO.

If you link groups, Active Directory groups registered as JP1/AO user groups are used. Therefore, create Active Directory groups to be registered as JP1/AO user groups as needed, and then add users who want to log in to JP1/AO to the Active Directory groups.

The table below describes the procedure to link with Active Directory. In a cluster system, make the settings the same on both the active server and the standby server.

Table 3‒4: Procedure to link with Active Directory
Task		Do not link groups	Link groups	Reference
1	Register users in Active Directory.	Optional^#1	Optional^#1	3.2.2 Registering users in Active Directory
2	In the configuration file for external authentication server linkage, register information necessary for Active Directory linkage.	Required	Required	3.2.3 Registering information in the configuration file for external authentication server linkage
3	Evaluate the DIT structure of Active Directory, and then register LDAP search users or information in the configuration file for external authentication server linkage.	Required	Required	3.2.4 Registering LDAP search information
4	Set security for communication with the LDAP directory server.	Optional^#2	Optional^#2	3.2.8 Security settings for communication with the LDAP directory server
5	Execute the `hcmds64checkauth` command to confirm that JP1/AO can be linked with Active Directory by using the information registered in the configuration file for external authentication server linkage.	Required	Required	3.2.5 Checking JP1/AO connection with Active Directory
6	Register users in JP1/AO. It is not a problem to perform this task before task 1.	Required	Not required	3.2.6 Registering user information in JP1/AO
7	Assign roles to Active Directory groups.	Not required	Required	3.2.7 Assigning roles to Active Directory groups

#1: This task is not required if users that are registered in Active Directory log in to JP1/AO.
#2: This task is not required if "ldap" was specified as the protocol for connecting to the LDAP directory server.

Tip

A distinguished name (DN) registered in settings in the configuration file for external authentication server linkage cannot contain surrogate pair characters.

To link groups, the relative distinguished name (RDN) at the beginning of the DN of an Active Directory group must satisfy the conditions of the character code and character string length permitted for JP1/AO user groups.