The AD/LDAP module has been developed with respect to LDAP (Lightweight Directory Access Protocol) and AD (Active Directory) standards.
The AD/LDAP module is built on the concept of storing data as records containing a set of attributes; these records are stored in a hierarchical database. The following figure illustrates how the user group information is stored on the LDAP/AD server:
Using this structure to store user data enables the AD/LDAP module to assign corporate user groups to the site user groups.
The assignment rules are specified in a special Assignment Table in the site administrative section. The assignment allows user groups of the site and the corporate network to have different names. For example, a corporate network user group Techsupport can be mapped to a site user group Techsupport stuff. Having this assignment made, the administrator enables the corporate network techsupport members to provide consultancy on the site.
The corporate user groups are given permissions to access the corporate network resources. The site user groups have permissions to access the site resources. For example, the Techsupport group users can access the corporate mail server; while the Techsupport stuff group users can access the Helpdesk module of the site.
According to this example, a Techsupport corporate user will be automatically added to the site Techsupport stuff user group upon successful authorization on the site. After that, the system automatically creates the user account stored on the corporate server.
A user can assigned to one or more user groups. The system may contain user groups not mapped to those of the corporate network. The administrator has to add users to such groups manually. All changes made to the user profile within the corporate server will be automatically transferred to the CMS user profile at the time of subsequent authorization. In this case, only the user groups mapped to those of the corporate network are updated.
The AD/LDAP module allows to:
- integrate Bitrix Site Manager in the corporate network;
- map the corporate network user groups to the site user groups;
- automatically create a user profile as per the Assignment Table upon successful registration. (The system creates the profile using data requested from the corporate server database);
- centrally manage user profiles via the corporate server.
The AD/LDAP module supports NTLM authentication. You will need an IIS web server, or Apache with mod_ntlm or mod_auth_sspi installed to use this option.
| How the module functions