Add or edit a directory
Add or edit an LDAP, AD or AD LDS directory
For directory server certificate validation, see Upload a ROOT CA certificate with the full bundle for doing directory server certificate validation.
To configure Host and Host Aliases fields, see Directory server certificate validation rules and use cases.
-
In the EAA Management Portal navigation menu, select Identity > Directories.
The Directory cards appear. -
To edit an existing directory, on the directory card click the Configure Directory. Proceed to step 7.
-
To add a new directory, click Add Directory.
The Create New Directory window appears. -
Enter a name and description, and select the Directory Type. For more information about supported directory services, see Directories.
-
Click Create Directory and Configure.
The configuration page appears.
Next, edit the directory.
-
Review the Directory name and Directory service fields for accuracy. These fields cannot be modified. If these fields contain incorrect or incomplete information, you need to add a new directory.
-
Based on whether you're doing directory certificate validation or not, using SSL protocol or not, select one of these choices:
a. Use SSL protocol with directory certificate validation (recommended).
-
Host with ldaps (default). Enter a fully qualified domain name (FQDN)/IP of your native directory. By default, the port is
636
as per the standard. See, Directory server certificate validation rules and use cases. -
Verify Origin Server Certificate (on-by-default). Allows you to verify the authenticity of the directory service provider using the origin server's certificate. Also provide these two fields:
-
Host Aliases (optional). If you are using multiple domain controllers or if you have an IP address for the Host field, provide the Subject Alternative Name (SAN) or Common Name (CN) from your server certificate. This is used to validate the server side certificate. For more information, see Directory server certificate validation rules and use cases.
-
ROOT CA Certificate (mandatory). Select the certificate issued by the certificate authority (CA) with the full bundle that you have uploaded into EAA. For more information, see Upload a ROOT CA certificate for origin server validation
b. Use SSL protocol and not do directory certificate validation. This uses SSL protocol but the origin directory server is not validated since the verify origin server certificate is disabled.
Host with ldaps. Enter fully qualified domain name (FQDN)/IP address of your native directory. By default, the port is 636 as per the standard.c. Not use SSL protocol and not do directory certificate validation.
Host with ldap. Enter fully qualified domain name (FQDN)/IP address of your native directory. By default, the port is389
as per the standard.With firewalls, allow the ports so that Enterprise Application Access can communicate with the LDAP or LDAPS FQDN and port for authentication and password change, or reset operations.
-
-
Configure the remaining settings:
-
Fill in one of the following in the domain field:
-
AD domain. Enter the domain where your directory is located.
-
LDAP domain. Enter the LDAP domain where your directory is located.
-
-
Admin Account. Enter an administrator account that EAA can use to connect to this directory. The administrator account should have read-only access or higher. For example, use the format
NetBiosDOMAIN\administrator
. For a Microsoft Windows AD integration, enter Distinguished Name from the Microsoft Windows AD. -
Admin Password. Enter the password for the Admin account.
-
Login Preference. Select the identifier for the user's principal in the directory. This is the input the user provides when accessing an application through the Enterprise Application Access Login Portal. For an AD directory type choose one of these: email, SAM account name, user principal name (UPN), or Domain/SAM account name. For an LDAP directory type choose one of these: email, UID. For an AD LDS directory type choose one of these: email, UID, or user principle name.
-
-
Click Add/Remove Connector.
The list of connectors appears. -
Select the connectors to associate with the directory. Your connector should run in Ready status.
-
Scroll to the bottom of the list and click Done.
The list of connectors closes. -
Click Save Directory.
The directories page appears.
Add users and invite them to the cloud directory
Add and invite, or invite again, users to the EAA service.
Add users to Enterprise Application Access by inviting them to the Cloud Directory. They receive an email with a link to activate their account. If a user is unable to activate their account, the email link may have expired. If you suspect the link has expired, invite the user again.
-
In the EAA Management Portal navigation menu, select Identity > Directories.
The Directory cards appear. -
On the directory card, click Users.
The User information appears. -
Click Upload Bulk Users, Create User, or Invite User.
-
Complete the user details fields: Email, First name, and Last name.
-
Click Invite User.
New users receive an email to create a password and complete their account authorization.
You can create more groups and add users to various groups for role-based authorization.
Add or remove users from the Cloud Directory admins group
Manage the Cloud Directory Admins group. If a user is unable to log in to the Akamai EAA, complete this procedure to make sure that the user is part of the Cloud Directory admin group.
-
In the EAA Management Portal navigation menu, select Identity > Directories.
The Directory cards appear. -
On the Cloud Directory card click Groups.
The Cloud Directory groups page appears. -
Navigate to the Admins group and click Group Membership.
The user membership page for the group appears. -
To add a user to the group either click Add user(s) or type a user's name in the search field, hit enter, then click Add user(s).
-
To remove a user from the group, navigate to the user and click Delete.
-
Return to the Cloud Directory card and click Sync.
Overlay groups
To add users to different groups in the Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), you can create a new group in the AD or LDAP or an overlay group. For already imported user groups, you can add users to the overlay group and give them permissions through the overlay group. Overlay groups can be thought of as a shortcut to creating a group in the AD or LDAP. Overlay groups are limited to one EAA >> directory.
Create an overlay group
-
In the EAA Management Portal navigation menu, select Identity > Directories.
The Directory cards appear. -
On the directory card, click Groups.
The Groups page opens. -
Click Add overlay group.
-
Enter the Overlay Group name.
-
Click Save group.
Next, add users to the overlay group.
Add users to an overlay group
-
In the EAA Management Portal navigation menu, select Identity > Directories.
The Directory cards appear. -
Select the directory to modify. On the directory card, click Groups.
The Groups page opens. -
Identify the overlay group to edit. Click Group Membership.
-
Click Add User(s).
-
In the search users field, enter the user names to add to the Overlay Group.
-
Click Save and add users.
Updated about 1 year ago