Connection to Windows domain
Application
With the Connection to Windows domain function, you can connect the data of a domain controller with the control's user administration.
Ask your IT administrator to configure the connection to the Windows domain.
Related topics
- Configuring an LDAP database on a control
- Using an LDAP database on multiple controls
Requirements
- User administration is active
- useradmin user is logged on
- Windows domain controller present in the network
- Domain controller accessible in the network
- Organizational unit for HEROS roles known
- Function user is defined in the organization
- User name and password of the function user are known
Description of function
Your IT administrator sets up a function user for connecting to the Windows domain.
Buttons
The Connection to Windows domain area provides the following buttons:
Button | Meaning |
---|---|
Configuration | The control opens the Configure Windows domain with function user window. |
Find domain | The control selects a Windows domain. |
Export the Windows config. | Once you have connected the control to the Windows domain, you can export the configurations for other controls. |
Import the Windows config. | Using a present configuration, you can connect the control easily and quickly to the Windows domain. |
Check missing role definitions | The control checks whether all of the required roles have been created in the Windows domain. |
Add role definition | If any roles required in the Windows domain are missing, you can add the missing roles. |
The Configure Windows domain with function user window
After the domain search, you can customize the Windows domain information or specify new information in the Configure Windows domain with function user window.
Your IT administrator will provide the required information.
The Configure Windows domain with function user window provides the following settings:
Setting | Meaning |
---|---|
Domain name: | Server name of the Windows domain Is populated by domain search |
Key Distribution Center (KDC): | KDC address Is populated by domain search |
Alternative admin server: | Deviating server name where the passwords are managed |
Map SIDs to Unix UIDs | Map the Windows user SIDs (Security IDs) in Active Directory to the matching Unix UIDs on the control |
Use LDAPs | Transfer data using secure LDAPs LDAPs encrypt user data and passwords. You can select a certificate or disable certificate validation. |
Group for login authorization: | Define a special group of Windows users to whom you want to restrict the connection to this control |
Organizational unit for HEROS roles: | Modify the organizational unit in which the HEROS role names are stored Specify the configuration of your domain. |
Prefix for HEROS role names: | Change the prefix in order to manage users from different workshops, for example. Each prefix given to a HEROS role name can be changed (e.g., HEROS hall 1 and HEROS hall 2) Is populated by domain search |
Separator for HEROS role names: | Modify the separator within the HEROS role names |
Function user: | User name and password of the Active Directory function user |
Organizational unit for function user: | Organizational unit of the function user |
Advanced configuration of domain section | Only for IT administrators |
The function user's user name must not contain blanks. The name and organizational unit form the complete path (Distinguished Name, DN) in the Active Directory.
Groups of the domain
If not all of the required roles have been created in the domain as groups, the control issues a warning.
If the control issues a warning, proceed in one of the two following ways:
- Use the Add role definition function to enter a role directly in the domain
- Use the Export role definition function to export the roles to an *.ldif file
There are the following ways to create groups corresponding to the different roles:
- Automatically when entering the Windows domain by specifying a user with administrator rights
- By importing an import file in .ldif format to the Windows server
The Windows administrator must add the users manually to the roles (security groups) on the domain controller.
Two suggestions describing how the groups can be structured by the Windows administrator are given by below.
Example 1
The user is a direct or indirect member of the respective group:
Example 2
Users from various sectors (workshops) are members of groups with different prefixes:
Joining a Windows domain
To join a Windows domain:
- Open the User administration window
- Select Connection to Windows domain
- Select Find domain
- The control selects a domain.
- Select Configuration
- Check the data for Domain name: and Key Distribution Center (KDC):
- Enter Organizational unit for HEROS roles:
- Enter the user name and password of the function user
- Press OK
- Select APPLY
- The control connects to the Windows domain found.
- The control checks whether all of the required roles have been created in the domain as groups.
Exporting and importing a Windows configuration file
If you have connected the control to the Windows domain, you can export the required configurations for other controls.
To export the Windows configuration file:
- Open the User administration window
- Select Connect to Windows domain
- Select Export the Windows config.
- The control opens the Export the Windows domain configuration window.
- Select the directory for the file
- Enter the name for the file
- Select the Export the function user's password? check box, if required
- Select Export
- The control saves the Windows configuration as a BIN file.
To import the Windows configuration file of another control:
- Open the User administration window
- Select Connect to Windows domain
- Select Import the Windows config.
- The control opens the Import the Windows domain configuration window.
- Select the existing configuration file
- Select the Import the function user's password? check box, if required
- Select Import
- The control adopts the configurations for the Windows domain.