3.2.1 Procedure to link with Active Directory
To link with Active Directory, you can select whether to link groups.
If you do not link groups, register the same user in both JP1/AO and Active Directory, and then use Active Directory to perform user authentication. There is no need to register a password in JP1/AO.
If you link groups, Active Directory groups registered as JP1/AO user groups are used. Therefore, create Active Directory groups to be registered as JP1/AO user groups as needed, and then add users who want to log in to JP1/AO to the Active Directory groups.
The table below describes the procedure to link with Active Directory. In a cluster system, make the settings the same on both the active server and the standby server.
Task |
Do not link groups |
Link groups |
Reference |
|
---|---|---|---|---|
1 |
Register users in Active Directory. |
Optional#1 |
Optional#1 |
|
2 |
In the configuration file for external authentication server linkage, register information necessary for Active Directory linkage. |
Required |
Required |
3.2.3 Registering information in the configuration file for external authentication server linkage |
3 |
Evaluate the DIT structure of Active Directory, and then register LDAP search users or information in the configuration file for external authentication server linkage. |
Required |
Required |
|
4 |
Set security for communication with the LDAP directory server. |
Optional#2 |
Optional#2 |
3.2.8 Security settings for communication with the LDAP directory server |
5 |
Execute the hcmds64checkauth command to confirm that JP1/AO can be linked with Active Directory by using the information registered in the configuration file for external authentication server linkage. |
Required |
Required |
|
6 |
Register users in JP1/AO. It is not a problem to perform this task before task 1. |
Required |
Not required |
|
7 |
Assign roles to Active Directory groups. |
Not required |
Required |
- #1
This task is not required if users that are registered in Active Directory log in to JP1/AO.
- #2
-
This task is not required if "ldap" was specified as the protocol for connecting to the LDAP directory server.
- Tip
A distinguished name (DN) registered in settings in the configuration file for external authentication server linkage cannot contain surrogate pair characters.
To link groups, the relative distinguished name (RDN) at the beginning of the DN of an Active Directory group must satisfy the conditions of the character code and character string length permitted for JP1/AO user groups.