Add an Active Directory IDMS
The Active Directory IDMS does not store any user passwords. For every authentication request, it forwards a request via LDAP to Active Directory for verification. If the verification is successful, the user is logged in.
Users and group memberships from Active Directory sync every 60 minutes.
- User LDAP Filter.
(memberOf=cn=cloudtamer-users,ou=groups,ou=cloudtamer,dc=example,dc=com). Only users that are a member of the cloudtamer-users LDAP group will be imported into Kion.
- Group LDAP Filter.
(memberOf=cn=cloudtamer-groups,ou=groups,ou=cloudtamer,dc=example,dc=com). Only groups that are a member of the cloudtamer-groups LDAP group will be imported into Kion.
dc=example,dc=com. This is the base DN for all LDAP requests.
Adding an Active Directory IDMS
- Navigate to Users > Identity Management Systems.
- Click Add New.
- Select Active Directory as the IDMS type.
- Enter a name to describe the IDMS. Users see this name when selecting the IDMS on the Kion login page.
- For the Username, enter the distinguished name of a user that can bind to LDAP to verify passwords.
- For the Password, enter the password for the username above.
- For the Hostname, enter the hostname or the IP address of your LDAP server. You can enter more than one hostname or IP by separating the entries with a comma.
- For the Port, enter the port on which to communicate with your LDAP server. This is typically 389 for LDAP and 636 for LDAPS.
- Enable the SSL option to use LDAPS
- For the User LDAP Filter, enter an LDAP filter to use to determine if the user should be imported to Kion.
- For the Group LDAP Filter, enter an LDAP filter to use to determine if a group should be imported to Kion.
- For the DN, enter the base DN for all LDAP requests. This should be included in the LDAP filters above.
- (Optional) Enter a custom attribute for the username filter.
- (Optional) Enter a custom attribute for the email filter.
- Test the connection with the Test Active Directory Connection button.
- Click Create IDMS.
For information about enabling single sign-on with your Active Directory account, see Active Directory SSO Integration.
It is considered best practice to automatically assign permissions to users using group assertions. This helps ensure that appropriate permissions are always applied. For more information, see Active Directory Group Assertions.