AD Authentication

Version: ZStack 3.8.0

Issue: V3.8.0

in Enterprise Management Tutorial

AD Authentication / Copyright Statement

Issue：V3.8.0 I

Copyright Statement

Copyright © 2020 Shanghai Yunzhou Information and Technology Ltd. All rights reserved.

Without its written consent, any organization and any individual do not have the right to extract,

copy any part or all of, and are prohibited to disseminate the contents of this documentation in any

manner.

Trademark

Shanghai Yunzhou Information and Technology Ltd. reserves all rights to its trademarks, including

, but not limited to ZStack and other trademarks in connection with Shanghai Yunzhou Information

and Technology Ltd.

Other trademarks or registered trademarks presented in this documentation are owned or

controlled solely by its proprietaries.

Notice

The products, services, or features that you purchased are all subject to the commercial contract

and terms of Shanghai Yunzhou Information and Technology Ltd., but any part or all of the

foregoing displayed in this documentation may not be in the scope of your purchase or use.

Unless there are additional conventions, Shanghai Yunzhou Information and Technology Ltd. will

not claim any implicit or explicit statement or warranty on the contents of this documentation.

In an event of product version upgrades or other reasons, the contents of this documentation will

be irregularly updated and released. Unless there are additional conventions, this documentat

ion, considered solely as a using manual, will not make any implicit or explicit warranty on all the

statements, information, or suggestions.

AD Authentication / Contents

II Issue: V3.8.0

Contents

Copyright Statement................................................................................ I1 Introduction...........................................................................................12 Preparations..........................................................................................23 Add an AD Server................................................................................ 34 3rd Party User Login......................................................................... 15Glossary................................................................................................ 16

AD Authentication / 1 Introduction

Issue: V3.8.0 1

1 Introduction

The 3rd Party Authentication service seamlessly integrates 3rd party login authentication systems

with the platform. After the authentication, all related 3rd party users can log in to the platform to

use cloud resources directly and conveniently. Currently, you can add an AD server or an LDAP

server to the platform.

• AD Authentication:

Active Directory (AD) is a directory service that runs on the Windows Standard Server,

Windows Enterprise Server, and Windows Datacenter Server. The AD service provides a set

of independent and standard login authentication systems for increasingly diverse enterprise

applications.

After an AD server is added, all related AD users and organizations can be synchronized to

the platform. These AD users can log in to the platform by using their original accounts and

passwords according to specified login attribute.

AD Authentication / 2 Preparations

2 Issue: V3.8.0

2 Preparations

Before you add an AD server, make the following preparations:

• Make the AD server ready. Two AD servers can be seamlessly switched between the primary

one and the secondary one.

• Install the latest version of ZStack.

• The 3rd Party Authentication function is dependent on the Enterprise Management module.

Make sure that the related license is available.

AD Authentication / 3 Add an AD Server

Issue: V3.8.0 3

3 Add an AD Server

Context

The basic steps to add an AD server are as follows:

1. Configure the AD server: Set basic information and configuration information about the AD

server.

2. Synchronize mapping rules: Set the login attribute, and the user/organization mapping between

AD and the platform.

3. Confirm and submit the configurations: Check the configured information about the AD

server. Note that you can go back to the previous step by clicking the Edit icon to modify the

configurations.

The following is an example of adding an AD server to the platform.

Table 3-1: AD server configuration

Parameter Example Value

Primary Server IP/Domain 172.20.198.187

SSL/TLS Encryption Supported

Primary Port 636

Base DN dc=adtest,dc=zs

User DNCN=Administrator,CN=Users,DC=adtest,DC=zs

Password password

Filter Rule (&(name=filterName)(description=departure))

Table 3-2: User mapping rule

Platform Parameter AD Parameter

Login Attribute cn

User Name cn

Name name

Phone Number telephoneNumber

Mail mail

AD Authentication / 3 Add an AD Server

4 Issue: V3.8.0

Platform Parameter AD Parameter

Identifier employeeID

Description description

Table 3-3: Organization mapping rule

Platform Parameter AD Parameter

Mapping Type Group

Name cn

Description description

Procedure

1. Configure the AD server: Configure basic information about the AD server.

a) In the left-side pane of ZStack Private Cloud, choose Advanced Function > Enterprise

Management > 3rd Party Authentication.

b) Click Add AD/LDAP Server.

c) In the Server Type field, select AD.

d) Configure the following parameters:

• Basic Information

▬ Name: Enter a name for the AD server.

▬ Description: Optional. Enter the description of the AD server.

▬ Primary Server IP/Domain: Enter the IP address or domain name of the primary

server.

▬ SSL/TLS Encryption: Specify whether to enable SSL/TLS encryption. The checkbox

is selected by default.

■ When selected, SSL/TLS encryption is enabled, and the port number is 636 by

default. You can customize the port number as needed.

■ When deselected, SSL/TLS encryption is not enabled, and the port number is 389

by default. You can customize the port number as needed.

▬ Primary Port: Enter the port number of the primary server.

▬ Secondary Server IP/Domain: Optional. Enter the IP address or domain name of the

secondary server.

▬ Secondary Port: Optional. Enter the port number of the secondary server.

AD Authentication / 3 Add an AD Server

Issue: V3.8.0 5

• Configuration

▬ Base DN: Enter the base DN. It specifies the point from which to search for an AD

user or an AD organization.

▬ User DN: Enter the user DN. It specifies the user that can search for all users under

the base DN.

▬ Password: Enter the login password of the corresponding user under the user DN.

▬ Filter Rule: Set the filter rule to filter out users that not to be synchronized under the

base DN.

Note:

• The length of the filter rule is determined by the AD server configuration. Note that

the filter rule will be invalid if it is longer than the allowed length.

• The syntax of the filter rule follows that of the AD filter rule. For example, if the

filter rule is (&(name=Bob)(description=departure)), it means to filter out the user

or users named Bob with description departure under the base DN. For more

information about the AD filter rule syntax, see Microsoft website.

▬ Test Connection: Test the connection between the AD server and the platform.

■ If the connection succeeds, click Next for further steps.

■ If the connection fails, modify the configuration and test the connection again until

the connection succeeds.

■ You can also skip Test Connection and directly click Next. The system will test

the connection automatically and go to the next step if the connection succeeds.

As shown in Figure 3-1: Configure AD server.

AD Authentication / 3 Add an AD Server

6 Issue: V3.8.0

Figure 3-1: Configure AD server

2. Synchronize mapping rules: Set the login attribute, and the user/organization mapping between

AD and the platform.

Configure the following parameters:

• Login Attribute (for AD Authentication): Set the login attribute. It determines the type of

AD accounts that can be authorized to log in to the platform.

AD Authentication / 3 Add an AD Server

Issue: V3.8.0 7

For example, if the attribute of cn is mapped as the login attribute, the synchronized AD

user will log in to the platform with the corresponding value of cn in AD (for example, Bob).

• User Mapping: Set the user mapping between AD and the platform.

▬ User Name: Set the mapping of user name between AD and the platform.

For example, if the attribute of cn is mapped as the user name, the synchronized AD

user will make its user name in the platform as the corresponding value of cn in AD (for

example, Bob).

Note:

• The user name in the platform must be unique.

• If the user name is identical with another one, the synchronized AD user will be given

a random code to its user name.

▬ Name: Set the mapping of name between AD and the platform.

For example, if the attribute of name is mapped as the name, the synchronized AD

user will make its name in the platform as the corresponding value of name in AD (for

example, Tom).

▬ Phone Number: Optional. Set the mapping of phone number between AD and the

platform.

For example, if the attribute of telephoneNumber is mapped as the phone number, the

synchronized AD user will make its phone number in the platform as the corresponding

value of telephoneNumber in AD (for example, 13800000000).

▬ Mail: Optional. Set the mapping of mail between AD and the platform.

For example, if the attribute of mail is mapped as the email address, the synchronized

AD user will make its email address in the platform as the corresponding value of mail in

AD (for example, xxx@xxx.com).

▬ Identifier: Optional. Set the mapping of identifier between AD and the platform.

For example, if the attribute of employeeID is mapped as the identifier, the synchronized

AD user will make its identifier in the platform as the corresponding value of employeeID

in AD (for example, 001).

▬ Description: Optional. Set the mapping of description between AD and platform.

AD Authentication / 3 Add an AD Server

8 Issue: V3.8.0

For example, if the attribute of description is mapped as the description, the

synchronized AD user will make its description in the platform as the corresponding value

of description in AD (for example, senior developer).

▬ Custom Attributes: Customize the user attributes. You can add up to 5 custom

attributes at one time.

Examples:

• System User Attribute: Set the system user attribute. It can be duplicated with the

added attributes above.

For example, if the attribute of employeeID is mapped as the system user attribute,

the synchronized AD user will make its system user attribute in the platform as the

corresponding value of employeeID in AD (for example, 001).

• AD/LDAP User Attribute: Set the AD user attribute.

For example, if the attribute of cn is mapped as the AD user name, the synchronized

AD user will make its AD user attribute in the platform as the corresponding value of

cn in AD (for example, Bob).

• Organization Mapping: Set the organization mapping between AD and the platform. The

AD organization under the base DN can be synchronized to the platform by Group or by

OU.

▬ Synchronize Organization Mapping: Specify whether to synchronize the organization

according to the organization mapping rule. This checkbox is deselected by default.

■ When deselected, the AD organization will not be synchronized to the platform when

AD server is added.

■ When selected, the AD organization under the base DN will be synchronized to the

platform.

▬ Mapping Type: Select the organization mapping type.

■ Group: This parameter specifies the corresponding child domain according to the

group type, and synchronizes the AD organization under the domain to the platform.

(Recommended)

■ OU: This parameter specifies the corresponding child domain according to the OU

type, and synchronizes the AD organization under the domain to the platform.

▬ Name: Set the mapping of organization name between AD and the platform.

AD Authentication / 3 Add an AD Server

Issue: V3.8.0 9

For example, if the attribute of cn is mapped as the organization name, the synchronized

AD organization will make its organization name in the platform as the corresponding

value of cn in AD (for example, development department).

▬ Description: Optional. Set the mapping of organization description between AD and the

platform.

For example, if the attribute of description is mapped as the organization description,

the synchronized AD organization will make its organization description in the platform

as the corresponding value of description in AD (for example, backend development

department).

• Next: Click Next. Then the system will test the configurations automatically and synchronize

the mapping rule if the test succeeds.

▬ If the test fails, modify the configurations and click Next to perform the test again until the

test succeeds.

As shown in Figure 3-2: Synchronize mapping rules.

Figure 3-2: Synchronize mapping rules

AD Authentication / 3 Add an AD Server

10 Issue: V3.8.0

3. Confirm and submit the configurations.

Check the configured information about the AD server. Note that you can go back to the

previous step by clicking the Edit icon to modify the configurations.

As shown in Figure 3-3: Confirm and submit.

Figure 3-3: Confirm and submit

What's next

• After the AD server is added, the admin, platform admin, and platform members can view the

synchronized users and organizations.

AD Authentication / 3 Add an AD Server

Issue: V3.8.0 11

As shown in Figure 3-4: 3rd Party Users and Figure 3-5: Organization.

Figure 3-4: 3rd Party Users

Figure 3-5: Organization

• The admin, platform admin, and platform members can perform the following operations on the

AD server:

▬ Test Connection: Test the connection between the AD server and the platform.

If the connection fails, troubleshoot this issue according to the following possible reasons:

• The AD server IP/port authentication failed. Check whether the AD server is available,

and whether the IP/port is changed.

• The user DN or password connection failed. Use the latest authenticated user DN and

password within the base DN.

AD Authentication / 3 Add an AD Server

12 Issue: V3.8.0

▬ Modify Synchronized Mapping Rule: Modify the synchronized user mapping rule and the

organization mapping rule.

■ The modified mapping rule will take effect when the AD server is synchronized next time.

■ You can click Synchronize or enable Auto Synchronize to trigger the AD server

synchronization.

▬ Synchronize: Synchronize the AD server.

■ If enabled, the latest user list and organizations will be synchronized.

■ After synchronization, users that do not exist will be in the deleted state and cannot log in

to the platform any more.

▬ Delete: Delete the AD server.

■ If you delete the AD server, the corresponding users and organizations will also be

deleted. Please exercise caution.

▬ Modify Configuration: Modify the configurations, including the base DN, user DN,

password, and filter rule.

■ If the configurations are modified, the AD server will be updated according the latest

configurations. Please exercise caution.

■ The modified configurations will take effect when the AD server is synchronized next time

.

■ You can click Synchronize or enable Auto Synchronize to trigger the AD server

synchronization.

■ After synchronization, users that do not exist will be in the deleted state and cannot log in

to the platform any more.

As shown in Figure 3-6: Modify Configuration.

AD Authentication / 3 Add an AD Server

Issue: V3.8.0 13

Figure 3-6: Modify Configuration

▬ Auto Synchronize: Automatically synchronize the latest user list and organizations

according to the specified synchronized cycle.

■ If enabled, the latest user list and organizations will be synchronized according to the

specified synchronized cycle.

■ After synchronization, users that do not exist will be in the deleted state and cannot log in

to the platform any more.

As shown in Figure 3-7: Auto Synchronize.

AD Authentication / 3 Add an AD Server

14 Issue: V3.8.0

Figure 3-7: Auto Synchronize

▬ Convert to Local User: Convert the users in the deleted state to the local users.

■ The converted local users inherit their original data. For example, they inherit their

original permissions in certain projects.

■ The converted local users can log in to the platform again after their passwords are

changed.

AD Authentication / 4 3rd Party User Login

Issue: V3.8.0 15

4 3rd Party User Login

The 3rd party users can log in to the platform.

1. Open Chrome or Firefox and enter http://your_machine_ip:5000/#/project.

2. Select AD/LDAP User, and enter the corresponding user name and password to log in to the

platform.

Note:

• The 3rd party users have the same permissions as local users do. For example, you can add

3rd party users to a project or department, or configure permission for them.

• Before a 3rd party user could work as a local user, make sure that the user is added to a

project and granted relevant permissions. Otherwise, a blank page will be displayed when the

user logs in to the platform.

As shown in Figure 4-1: AD/LDAP User Log In.

Figure 4-1: AD/LDAP User Log In

AD Authentication / Glossary

16 Issue：V3.8.0

Glossary

ZoneA zone is the largest resource scope defined in ZStack, covering resources such as clusters, L2

networks, and primary storages.

ClusterA cluster is the logical collection of a group of hosts (compute nodes). All hosts in the cluster must

have the same operating system, the same network configuration, and be able to access the

same primary storage. In a physical data center, a cluster usually refers to a rack.

Management NodeA management node is a host with operating system installed to provide UI management and

cloud platform deployment.

Compute NodeA compute node is a physical server (also known as a host) that provides VM instances with

compute, network, and storage resources.

Primary StorageA primary storage is a storage server used to store disk files in VM instances. Local storage, NFS,

Ceph, Shared Mount Point, and Shared Block are supported.

Backup StorageA backup storage is a storage server used to store image template files. Image store, SFTP

(Community Edition), and Ceph are supported. We recommend that you deploy backup storage

separately.

Image StoreImage Store is a type of backup storage. You can use Image Store to create images for VM

instances that are in the running state and manage image version updates and release. Image

Store allows you quickly upload, download, export images, and create image snapshots as

needed.

AD Authentication / Glossary

Issue：V3.8.0 17

VM InstanceA VM instance is a virtual machine instance running on a host. A VM instance has its own IP

address to access public network and run application services.

ImageAn image is an image template used by a VM instance or volume. Image templates include

system volume images and data volume images.

VolumeA volume can either be a data disk or a root disk. A volume provides additional storage space for

VM instances. A shared volume can be attached to one or more VM instances.

Instance OfferingInstance offering defines the CPU quantity, memory, and network settings for starting a VM

instance.

Disk OfferingDisk offering defines the size of volumes used by a VM instance.

L2 NetworkA L2 Network is a layer 2 broadcast domain used for layer 2 isolation. Generally, L2 networks are

identified by names of devices on the physical network.

L3 NetworkA L3 Network is a collection of network configurations for VM instances, including the IP address

range, gateway, and DNS.

Public NetworkA public network is generally allocated with a public IP address by Network Information Center

(NIC) and can be connected to IP addresses on the Internet.

Private NetworkA private network is the internal network that can be connected and accessed by VM instances.

AD Authentication / Glossary

18 Issue：V3.8.0

L2NoVlanNetworkL2NoVlanNetwork is a network type for creating a L2 network. If L2NoVlanNetwork is selected,

VLAN settings are not used for host connection.

L2VlanNetworkL2VlanNetwork is a network type for creating a L2 network. If L2VlanNetwork is selected, VLAN

settings are used for host connection and need to be configured on the corresponding switches in

advance.

VXLAN PoolA VXLAN pool is an underlay network in VXLAN. You can create multiple VXLAN overlay

networks (VXLAN) in a VXLAN pool. The overlay networks can operate on the same underlay

network device.

VXLANA VXLAN network is a L2 network encapsulated by using the VXLAN protocol. A VXLAN network

belongs to a VXLAN pool. Different VXLAN networks are isolated from each other on L2 network.

vRouterA vRouter is a custom Linux VM instance that provides various network services.

Security GroupA security group provides L3 network firewall control over the VM instances. It can be used to set

different security rules to filter IP addresses, network packet types, and the traffic flow of network

packets.

EIPAn elastic IP (EIP) address is a method to access a private network through a public network.

SnapshotA snapshot is a data state file in a disk duplicated at a particular time point. A snapshot can be

either an automatic snapshot or a manual snapshot.