Views: 11829
Last Modified: 18.06.2015

A common AD/LDAP module operation is as follows.

  1. A user opens the site and authorises. This implies typing the login and password used to authorise in the corporate network.
  2. The system connects to the server specified in the AD/LDAP module settings and verifies whether a user with the supplied credentials exist in the corporate server database:
    • if no user with the supplied credentials exists in the corporate network, the system searches for this user in the Bitrix Site Manager database. If the user still cannot be found, the system declines authorization;
    • if the user is found, the system determines the corporate network user group for this user. After that, the system searches for the site user group using the Assignment Table.
  3. The system verifies whether the user profile exists:
    • if the user profile is not found, the system attempts to obtain the user data from the corporate server and then creates a new profile;
    • if the user profile exists (which means a user had previously been authorised), the system checks whether any change has been made to the user profile on the corporate server. If so, the Bitrix user profile becomes updated to reflect changes.
  4. The user is granted permission to access the site resources and becomes authorised. The user permissions are defines as per his user group settings.
Note: a site user who is a member of any group registered in the Assignment Table may be deleted from the corporate network user list. In this case, if a user attempts to authorise on the site, the authorisation attempt will fail. At the same time, the user profile is still stored in the Bitrix database.

To allow a user authorise on the site via the common interface, enable the internal authorisation check. To do so, set the value of Authorisation type to "internal check" and then update the user credentials (login and password).

Note that if an AD tree has N domains (e.g. OD1, OD2… each for an individual department) and these domains have groups with duplicate names, the Assignment Table will display all of the groups effectively showing duplicate names N times. To avoid confusion, change the Group identifier attribute in the AD/LDAP server settings to something you can change without affecting the whole set-up, for example DistinguishedName (DN). As a result, the distinguished names will be shown instead of the group names.

Courses developed by «Bitrix», Inc.