Connection to Windows domain
Application
With the Connection to Windows domain function, you can connect the data of a domain controller with the control's user administration.
Ask your IT administrator to configure the connection to the Windows domain.
Related topics
- Configuring an LDAP database on a control
- Using an LDAP database on multiple controls
Requirements
- User administration is active
- useradmin user is logged on
- Windows domain controller present in the network
- Domain controller accessible in the network
- Organizational unit for HEROS roles known
- For logon with computer account:
- You have access to the password of the domain controller
- You have access to the user interface of the domain controller or you are supported by an IT administrator
- For logon with function user:
- User name of the function user
- Password of the function user
Description of function
The control provides the following options to join a Windows domain:
- Create a separate account for the control
- By means of a function user
Your IT administrator can set up a function user to facilitate connectivity to the Windows domain.
Click the Configuration button to open the Configure Windows domain window.
The Configure Windows domain window
After the domain search, you can customize the Windows domain information or specify new information in the Configure Windows domain window.
Your IT administrator will provide the required information.
TheConfigure Windows domain window contains the following settings:
Setting | Meaning |
---|---|
Domain name: | Server name of the Windows domain Is populated by domain search |
Key Distribution Center (KDC): | KDC address Is populated by domain search |
Alternative admin server: | Deviating server name where the passwords are managed |
Map SIDs to Unix UIDs | Map the Windows user SIDs (Security IDs) in Active Directory to the matching Unix UIDs on the control |
Use LDAPs | Transfer data using secure LDAPs. LDAPs encrypts user data and passwords. You can select a certificate or disable certificate validation. |
Group for login authorization: | Define a special group of Windows users to whom you want to restrict the connection to this control |
Organizational unit for HEROS roles: | Modify the organizational unit in which the HEROS role names are stored Specify the configuration of your domain. |
Prefix for HEROS role names: | Change the prefix in order to manage users from different workshops, for example. Each prefix given to a HEROS role name can be changed (e.g., HEROS hall 1 and HEROS hall 2) Is populated by domain search |
Separator for HEROS role names: | Modify the separator within the HEROS role names |
Advanced configuration of domain section | Only for IT administrators |
If you enable the Active Directory with function user check box, the window contains the following additional settings:
Setting | Meaning |
---|---|
Function user: | Enter the user name and password of the Active Directory function user |
Organizational unit for function user: | Specify the organizational unit of the function user |
The function user's user name must not contain blanks. The name and organizational unit form the complete path (Distinguished Name, DN) in the Active Directory.
Groups of the domain
If not all of the required roles have been created in the domain as groups, the control issues a warning.
If the control issues a warning, proceed in one of the two following ways:
- Use the Add role definition function to enter a role directly in the domain
- Use the Export role definition function to export the roles to an *.ldif file
There are the following ways to create groups corresponding to the different roles:
- Automatically when entering the Windows domain by specifying a user with administrator rights
- By importing an import file in .ldif format to the Windows server
The Windows administrator must add the users manually to the roles (security groups) on the domain controller.
Two suggestions describing how the groups can be structured by the Windows administrator are given by below.
Example 1
The user is a direct or indirect member of the respective group:
Example 2
Users from various sectors (workshops) are members of groups with different prefixes:
Joining a Windows domain with a computer account
To join a Windows domain with a computer account:
- Opening the User administration window
- Select Connection to Windows domain
- Select the Join Active Directory domain (with computer account) check box
- Select Find domain
- The control selects a domain.
- Select Configuration
- Check the data for Domain name: and Key Distribution Center (KDC):
- Enter Organizational unit for HEROS roles:
- Select OK
- Select APPLY
- The control opens the Connect to domain window.
- Tip
The Organizational unit for computer account: function allows you to specify in which of the already existing organizational units you want to create the access, such as
- ou=controls
- cn=computers
The values you enter must match the conditions of the domain. The terms are not exchangeable.
- Enter the user name of the domain controller
- Enter the password of the domain controller
- Confirm your input
- The control connects to the Windows domain found.
- The control checks whether all of the required roles have been created in the domain as groups.
- Add groups, if necessary
Joining a Windows domain with a function user
To join a Windows domain with a function user:
- Opening the User administration window
- Select Connection to Windows domain
- Select the Active Directory with function user check box
- Select Find domain
- The control selects a domain.
- Select Configuration
- Check the data for Domain name: and Key Distribution Center (KDC):
- Enter Organizational unit for HEROS roles:
- Enter the user name and password of the function user
- Press OK
- Select APPLY
- The control connects to the Windows domain found.
- The control checks whether all of the required roles have been created in the domain as groups.
Exporting and importing a Windows configuration file
If you have connected the control to the Windows domain, you can export the required configurations for other controls.
To export the Windows configuration file:
- Open the User administration window
- Select Connect to Windows domain
- Select Export the Windows config.
- The control opens the Export the Windows domain configuration window.
- Select the directory for the file
- Enter the name for the file
- Select the Export the function user's password? check box, if required
- Select Export
- The control saves the Windows configuration as a BIN file.
To import the Windows configuration file of another control:
- Open the User administration window
- Select Connect to Windows domain
- Select Import the Windows config.
- The control opens the Import the Windows domain configuration window.
- Select the existing configuration file
- Select the Import the function user's password? check box, if required
- Select Import
- The control adopts the configurations for the Windows domain.