Legacy Active Directory User Guide - Version 6
Improvements have been made in version 7. Refer to: Quick Active Directory and OpenLDAP User Guide for more information
This article describes how to use Active Directory with Password Manager.
In this article, we will assume that Mr Smith has an Active Directory server with srv.local as its domain, two groups (Finance and HR), and with two users (sbrown who belongs to Finance, and blee who belongs to HR).
Adding a User Directory
The first step is to add a User Directory entry in the Users & Roles > Active Directory / LDAP tab. On this page, you can create a new entry by pressing the Add New Active Directory / LDAP Server button. This will take you to a page where you will be asked to enter the following fields:
- Directory Identifier: This field is appended to the username of users imported from this directory. Usually, the Active Directory domain name is used for this field, although any unique string can be used. For example, Mr Smith can use main as the value.
- Directory Host: This field is used as the domain of the Active Directory server. For example, Mr Smith will use srv.local as the value. If the host is set to the value DC, the user's current domain server will be used.
- Directory Path: This field is used as the path from which to import users. For example, Mr Smith might type in CN=Users,OU=MainBranch,DC=srv,DC=local to import users from that particular path. If the path is left empty, the whole domain will be considered.
- Enable Automatic User Import: This field, when checked, allows a user from the directory to be added automatically upon their first login attempt. See the Logging In section for details. For now, Mr Smith will enable this option.
Importing groups is not necessary in order to import users, but it does allow you to conveniently create and assign roles to users. Groups can be imported by going to the Users & Roles > Roles tab and clicking the Import Groups from an Active Directory / LDAP Server button. From this page, you can select the directory and enter your username and password for the directory.
Once you have specified these fields, you can press the Get Group List button to retrieve the list of groups. Note that no groups will actually be added at this point. Instead, they will be shown in a table on the bottom of the page. You can mark the checkbox beside the groups you wish to import, select the Assign Roles to Imported Users checkbox if you wish to automatically assign roles to imported users who belong to this directory, and import the groups by pressing the Import Groups button.
For example, Mr Smith might see Finance and HR in the table, enable assigning roles to imported users and import both of them. If the groups were successfully imported, you will be able to see them by clicking the Users & Roles > Roles tab.
Users can be imported by going to the Users & Roles > Users tab and clicking the Import Users from an Active Directory / LDAP Server button. From this page, you can select the directory and enter your username and password for the directory. There is also a Use grouped import checkbox which, if selected, treats the path of the directory specified as a group and loads users from its members property rather than from its descendants.
Once you have specified these fields, you can press the Get User List button to retrieve the list of users. Note that no users will actually be added at this point. Instead, they will be shown in a table on the bottom of the page. You can mark the checkbox beside the users you wish to import and import them by pressing the Import Users button.
For example, Mr Smith might see sbrown and blee in the table, and decide to import only sbrown. Since sbrown belongs to the Finance group and automatic role assignment has been enabled, sbrown will automatically be granted the Finance role. If the users were successfully imported, you will be able to see them by clicking the Users & Roles > Users tab.
An Active Directory user who has already been imported can log in using their Active Directory username, with or without the identifier appended to it, and their Active Directory password.
For example, sbrown, who was imported in the previous section, can log in as either sbrown or sbrown@main.
An Active Directory user who has not been imported, but who belongs to a domain with the autoimport option enabled, must initially log in using their Active Directory username with the identifier appended to it.
For example, blee, who was not imported in the previous step, must log in as blee@main. Upon this first log in, he will be added as a user, and can in the future log in as just blee. Similar to sbrown, blee will automatically be granted the HR role.