1.15 Linking with Active Directory
By linking with Active Directory, you can use the users and groups managed by Active Directory in JP1/AO. Note that you can only link with Active Directory when JP1/AO uses Active Directory as the LDAP directory server.
To link with Active Directory, you need to enter the appropriate settings in the configuration file for external authentication server linkage. You can add users or register users and accounts for LDAP search in Active Directory as needed.
When linking with Active Directory, you can select whether to enable group linkage. The available functionality differs depending on whether groups are linked.
When not using group linkage
Active Directory is responsible for user authentication.
Adding and removing users to and from user groups takes place in JP1/AO.
The same users must be added in JP1/AO and Active Directory. You do not need to set passwords for these users in JP1/AO.
When using group linkage
Active Directory is responsible for user authentication.
You add groups in Active Directory for use as JP1/AO user groups. Adding and removing users to and from user groups takes place in Active Directory.
Therefore, you do not need to add users in JP1/AO.
Next, the information you need to register in advance and the flow of user authentication are described for a situation in which group linkage is used, and a situation in which it is not.
When not using group linkage
When adding users who will log in to JP1/AO, make sure that the user ID in JP1/AO matches the user ID in Active Directory. Passwords need only be registered in Active Directory, and do not need to be managed in JP1/AO.
If LDAP is specified as the authentication method in the JP1/AO user information for a user who logs in to JP1/AO, the login process uses the information managed by Active Directory.
The following figure shows the flow of user authentication when using Active Directory linkage but not group linkage:
|
![[Figure]](GRAPHICS/F0000100.GIF)
When using group linkage
You can manage Active Directory groups as JP1/AO user groups. This means that you do not need to add users in JP1/AO who are already registered in Active Directory groups. By assigning service groups to an Active Directory group, you can make the resources available to the users in the Active Directory group.
If user information is not registered in JP1/AO when a user logs in to JP1/AO, the login process references the user information in Active Directory.
The following figure shows the flow of user authentication when using Active Directory linkage and group linkage:
|
![[Figure]](GRAPHICS/F0000052.GIF)