General AD/LDAP module’s sequence of operation is as follows:
A user completes authorization in the Bitrix Framework by typing the login and password they use to authorize in the corporate network;
The system connects to the server specified in the AD/LDAP module settings and verifies whether a user with the supplied credentials exist in the corporate server database:
if user (a member of any group registered in a single or multiple groups in the Assignment Table) with the supplied credentials
e. g. deleted from the corporate network user list, their authorization on the Bitrix Framework will fail. At the same time, the user profile is still stored in the Bitrix Framework database.
To allow the user authorize on the Bitrix24 products via the common interface, enable internal authorisation check. To do so, set the Authorization type as internal authorization value to "internal check" in the Control panel and then update the user credentials (login and password).
if the user is found, the system determines
the corporate network user group for this user
in case the AD tree has N-domains (for example, matching to company departments OD1, OD2…) and these domains have groups with identical names, the Assignment Table will list displays such groups N times, each group for each domain. To avoid confusion, change Group Name Attribute in the AD/LDAP server settings on the Field Mapping tab. A good choice is DistinguishedName (DN). Now instead of group names, the system shows group DN.
, matching with Bitrix Framework user group (via Assignment Table).
Next, the system checks the
When the login of user imported from AD matches with the user login, previously created in Bitrix Framework, such user will be created in the system additionally to the existing login. Such logins will match, but associated to AD specifically.
In this case (login match) when authorizing, the system first attempts to authorize the user using AD (using login and password, associated with AD) and only when the attempt was unsuccessful (authorization error), attempts to get authorized under internal user (user login and password, created manually in the system).
in the system:
if the user profile is not found, the system attempts to obtain the user data from the corporate server and then creates a new profile;
if the user profile exists (which means a user had previously been authorized) in Bitrix Framework, the system checks whether any change were made to the user profile on the corporate server. If so, the Bitrix Framework user profile becomes updated to reflect changes.
The user is granted permission to access the Bitrix Framework resources and becomes authorized. The user permissions are defined according to their Bitrix Framework user group settings.